The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.
“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”
Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.
According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.
The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.
The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”
The attackers used both malicious attachments and links to external resources that are used to download the malicious code.
“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.
“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”
The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.
The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.
In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.