For just over a week, government departments, research institutes and other high-value targets have been on the sharp end of a sophisticated attack, where fake voicemails are being used to create a diversion while malware infects computer systems.
As security researchers at Palo Alto Networks’s Unit 42 division detail, it is believed the attack is being perpetrated by the same gang responsible for other malware campaigns including CrazyDuke, Seaduke, CozyDuke, MiniDuke, OnionDuke and CosmicDuke, all of which have deployed targeted attacks against governments in recent years.
Of course, whenever security firms shine a light on the activities of a malware campaign, the attackers have to change their attack frameworks or risk losing a valuable foothold inside major, government-level targets.
The use of bogus voicemails is one of the standard tricks used by the group, which involves duping victims into believing they are listening to a media file containing a voice recording of a female journalist seeking information for a news story while infecting computers with malware in the background.
Of course, a voicemail left on a regular telephone system cannot do anything like this. But through clever social engineering and targeted email campaigns, the attackers are able to dupe users into visiting websites harbouring self-extracting archives containing the voicemail recording alongside other files that download further malicious content from the web.
Researchers at Kaspersky note that in other instances the lure might be a PDF claiming to contain a report into terrorism.
Often the sites harbouring the malicious code are themselves legitimate, compromised sites that are being exploited by the hackers due to sloppy security.
Malware like this prefers to keep a low profile and not draw undue attention to itself because it has too much to lose if discovered.
Rather than causing disruption, it would much rather hide and quietly steal and exfiltrate sensitive information via legitimate cloud services, hoping to go undetected for as long as possible.
But clearly to infect systems in the first place, it requires user involvement. Computer users either need to visit a compromised, watering hole website which can launch a drive-by download onto their PC, or social engineering needs to play its part in getting the user to click on as file or visit a web link.
That’s why the attackers have dressed their attack up as an innocent-seeming voicemail from a female journalist, or why – as Symantec described in a blog post about SeaDuke earlier this week – the group began its campaign in March 2014 using emails themed around a funny “Office Moneys” video.
The use of what the marketing world likes to call “viral” content is highly effective. Amusing videos of monkeys in the workplace, or dogs on skateboards, are precisely the kind of thing that everyone likes to watch on the net regardless of whether they work in a government department or on a factory floor.
Human beings find it difficult to resist clicking on something which they think might be amusing or shocking and may let their guard drop as a result.
And that’s the moment that the hackers strike.
Be on your guard, put security systems in place to increase the chances of detecting suspicious behaviour on your network, and remind your staff to think before you click.