Attackers have been spreading two families of remote access Trojans (RATs) to small businesses in India, the UK, and US since the start of 2015. The attackers have been targeting employees responsible for accounts and fund transfers in order to steal money from affected organizations.
The attackers operate with few resources, rely on social engineering rather than exploits, and use two publicly available RATs−Backdoor.Breut and Trojan.Nancrat. However, despite these limitations, the attackers can gain a huge amount of control of victim computers thanks to the malware’s multi-purpose capabilities.
Victims
The campaigns have been occurring since at least early 2015. For most of the year, the targets were mainly located in India, while some others were in the US and other regions. However, activity in India and US has dropped in the past few months while the number of infections in the UK has increased.
Figure 1. Infection activity in the top three targeted regions throughout 2015
In early 2015, the attackers used Backdoor.Breut to mainly target Indian organizations. After August, they used Trojan.Nancrat against UK targets while keeping Backdoor.Breut for other regions.
The attackers don’t focus on specific industries or organizations; they work to gain access to whichever business they can. If they can’t compromise a company, then they move on to another.
Tactics
The attackers spread the RATs by sending emails from spoofed or stolen accounts. Based on campaigns run by Symantec’s Phishing Readiness solution, it’s clear that, on average, employees are susceptible to email-based attacks 18 percent of the time, which is one of the reasons why attackers have exploited this access point so much when trying to spreading RATs quickly and effectively. The majority of the messages are sent in the afternoon during Greenwich Mean Time (GMT) or morning during Eastern Standard Time (EST). This suggests that the attackers are based in Europe or the US. The subjects of their messages relate to finance in order to lure employees that have access to the targeted organizations’ accounts. Some examples include:
- Re:Invoice
- PO
- Remittance Advice
- Payment Advise
- Quotation Required
- Transfer Copy
- TT Payment
- PAYMENT REMITTANCE
- INQUIRY
- Qoutation
- QUOTATION
- Request for Quotation
The emails include archive file attachments, usually with the .zip extensions. If the target opens the file, then their computer is infected with either Backdoor.Breut or Trojan.Nancrat. Both of these threats give the attackers complete control of the victim’s computer.
Through these infections, the attackers can access the webcam and microphone, log keystrokes, steal files and passwords, and more. The attackers have been observed using the targeted employee’s privileged access to transfer money to an account under their control.
Once a computer is compromised, the attackers spend time assessing it to find out how to steal the money. In some cases, attackers have been known to even download manuals to figure out how to use certain financial software. After they are finished with the computer, they return to sending emails to other targets. This suggests that there are a small number of attackers involved in these campaigns.
Command and control
In the first half of 2015, the attackers used the following domains as command and control (C&C) servers for Backdoor.Breut:
- cleintten101.no-ip.biz
- cleintten.duckdns.org
- clientten1.ddns.net
From August, the attackers configured a variant of Backdoor.Breut to use the following domains as C&C servers:
- akaros79.no-ip.biz
- mathew79.no-ip.biz
- clientten1.ddns.net
After this, they used akaros79.no-ip.biz and mathew79.no-ip.biz for variants of Backdoor.Breut, while applying the original clientten1.ddns.net to Trojan.Nancrat. Once this occurred, they attacked UK targets with Trojan.Nancrat while compromising other regions with Backdoor.Breut. It’s likely that at this stage, the attackers divided responsibilities between themselves to focus on different countries.
Few resources, huge impact
While advanced attack groups attract a lot of attention in the news, it’s important to remember that less skilled attackers can still cause major damages to a targeted company.
Even though the attackers in this case have limited resources, they can use Backdoor.Breut and Trojan.Nacrat to gain total access to a computer. By focusing their RAT infections on specific employees, the attackers can potentially steal a substantial amount of money and sensitive information from affected businesses.
We have seen other campaigns with similar tactics focusing on financial employees. For example, in December, four attack groups targeted Columbian finance departments with malicious email attachments to deliver the W32.Extrat RAT. Given the continued focus on these types of tactics by attackers, businesses around the world should know how to protect their assets against these kinds of operations.
Mitigation
As the attackers in this case use basic social-engineering tactics in their campaigns, users should adhere to the following advice to avoid compromises in the first place:
- Do not open attachments or click on links in suspicious email messages
- Avoid providing any personal information when answering an email
- Never enter personal information in a pop-up web page
- Keep security software up to date
- If you’re uncertain about an email’s legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal.
Protection
A full protection stack helps to defend against these attacks, including Symantec.cloud email blocking, web gateway security, and endpoint security. Symantec’s Phishing Readiness solution can also be used to help prevent phishing intrusions.
Symantec and Norton products protect users against the RATs seen in these campaigns under the following detections:
Antivirus