Contributor: Andrea Lelli
Every day, many different targeted attacks occur using various social engineering themes. Social engineering is a critical first stage of a spear-phishing email attack, as it lays the ground work to the eventual compromise of a victim's computer. The social engineering theme is usually related to the victim’s business or current news, but occasionally, unusual social engineering themes show up. Despite their strange nature, these peculiar social engineering themes may be enough to arouse your curiosity. This basic human emotion is difficult to ‘control’ – “Curiosity is the lust of the mind,” as the English philosopher Thomas Hobbes once said.
Last month, we observed a spear-phishing email that claimed to contain classified information in the form of a report [DocumentationReport(7-31-14).zip], about the discovery of an alien footprint on Mars. To add credibility to the email, the attackers impersonated the National Aeronautics and Space Administration (NASA), and signed it as a known astronaut who works for the organization. Instead of a legitimate classified document, Backdoor.Darkmoon (aka Poison Ivy) was attached to the email.
Figure 1. Spear phishing email observed in this attack
Darkmoon is a popular remote access Trojan (RAT) often used in targeted attacks, including attacks regarding the G20 Summit and the Sochi Olympics. Several groups have been known to utilize Darkmoon, but each has applied their own modifications to the Trojan.
Symantec has been monitoring the group that uses this modified version of Darkmoon (Backdoor.Darkmoon.G) and they appear to have been active since at least mid-2012. The group’s primary infection vector is through spear-phishing emails, which are frequently paired with an exploit. In this case, a self-extracting RAR file is also used to execute or drop the malicious payload.
The sample used in this campaign loads its malicious components through trusted applications, a technique similar to Backdoor.Korplug. This technique is not unique to Korplug and has been observed recently in Backdoor.Klabcon, which had been distributed in a targeted attack that used the Thailand Coup d’etat to compromise various officials.
According to our telemetry, several companies have been targeted by this recent Darkmoon campaign. The use of NASA and evidence of aliens may make people think that the attackers were after classified documents related to the aerospace industry, but this has not been confirmed. The targeted companies do not seem to have a strong connection with NASA and are not exclusively related to the aerospace industry. The following sectors were targeted in this attack.
Figure 2. Sectors targeted in alien footprint phishing attack
Symantec offers the following detections to protect users from the Darkmoon malware.
Symantec recommends that users keep their security solutions up-to-date and exercise caution when opening attachments found in unsolicited emails. Symantec customers that use the Symantec.Cloud service are protected from spam messages used to deliver malware. For the best possible protection, Symantec customers should also ensure they use the latest Symantec technologies incorporated into our consumer and enterprise solutions.