Hackers target Japanese academics with phishing campaign to steal research data

A phishing campaign targeting academics in Japan has a malware payload that exfiltrates passwords and documents from potential victims' computers.

Phishing attacks remain a top tactic for targeting cyberattacks at business
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • BlackTech, the group responsible for the attack, has targeted governmental organizations and government contractors since at least 2010.
  • The organization is known for using vulnerabilities sold in Black Hat hacking circles, and taken from Hacking Team leaks.

The cyber espionage group BlackTech, which has targeted organizations in East Asia since at least 2010, has in recent months engaged in an email phishing campaign, purporting to be from the Japanese Ministry of Education, Culture, Sports, Science and Technology, otherwise known as MEXT. These emails contain links to Dropbox downloads which contain malware called TSCookie by JPCERT, also called PLEAD by Trend Micro.

TSCookie works as a dropper that connects to a command and control (C&C) server to download the malware payload TSCookieRAT / DRIGO. Variants of TSCookie have historically relied on right-to-left override (RTLO) vulnerabilities, most recently CVE-2017-0199, a vulnerability in Microsoft Office handling of RTF documents which was used by an unknown group last August in a spear phishing attack. Other variants rely on an Adobe Flash vulnerability developed by the uncreatively-named Italian firm "Hacking Team," which itself was hacked. A similar, fileless version of TSCookie relied on a related Flash vulnerability also disclosed in the Hacking Team data dump.

SEE: Security awareness and training policy (Tech Pro Research)

According to Trend Micro, TSCookie also scans for vulnerable routers, and uses the VPN features of vulnerable routers to create new C&C servers, or new servers from which to propagate itself. It also utilizes the CVE-2017-7269 vulnerability in Microsoft IIS 6.0 to create additional C&C servers.

From the JPCERT report, the TSCookieRAT payload is capable of executing arbitrary shell commands on an infected computer, as well as sending drive and system information back to the attackers. Additionally, it can send files and file metadata to the attackers, and has a function to harvest and transmit passwords from Internet Explorer, Edge, Chrome, Firefox, and Microsoft Outlook. This data is transmitted to the attackers unencrypted.

Trend Micro also noted that PLEAD, another payload used by BlackTech "contains a refresh token tied to specific Gmail accounts used by the attackers, which are in turn linked to a Google Drive account. The stolen files are uploaded to these Google Drives, where the attackers can harvest them."

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

While the identity of BlackTech is unclear--this specific phishing campaign used a subject line that translates to "2018 MEXT Research Program." The email requests the reader to submit information about research plans, implying that research grants may be available. Given the file-grabbing nature of the malware payload, it can be inferred that the attackers are attempting to steal research data. Of note, the phishing campaign prompted Kyoto University to issue a warning about the malware threat.

BlackTech has also been cited by Trend Micro as the originator of similar attacks, including "Shrouded Crossbow," which uses modified versions of the BIFROST backdoor source code, which the company claims was available for sale for $10,000. Notably, a Unix-compatible version of BIFROST exists. Given this, and the use of Hacking Team exploits, BlackTech appears both to be well-funded and to not have the independent capability to discover vulnerabilities for use in attacks.

Also see

Image: iStockphoto/weerapatkiatdumrong