Fake Palo Alto Cyber-conference Invites Deliver Spy Trojan

Fake Palo Alto Cyber-conference Invites Deliver Spy Trojan

Threat actors with a healthy sense of irony are using fake offers for free registrations to Palo Alto Networks’ upcoming Cyber Security Summit to deliver malware.

The event is being hosted on November 3 in Jakarta, Indonesia, and Palo Alto researcher Robert Falcone explained that the effort is related to ongoing Operation Lotus Blossom attack campaigns in the Asia Pacific region. The phishing emails ultimately deliver a payload that is a variant of the Emissary Trojan, which is an Operation Lotus Blossom go-to bit of code.

The Emissary trojan is a cyber-espionage tool. While it lacks more advanced functionality like screen capturing, it is still able to carry out most tasks desired by threat actors: exfiltration of files, the ability to download and execute additional payloads, and gaining remote shell access. Its authors have developed several updated versions of Emissary to remain undetected and fresh over time.

Emissary installs in the background while a decoy document showing an image of a previous invitation to the Cyber Security Summit is displayed.

“The malicious email will have an attachment named “[FREE INVITATIONS] CyberSecurity Summit.doc” that if opened will exploit CVE-2012-0158,” he said in an analysis. “Palo Alto Networks hosts cybersecurity summits all over the world, and in many cases we send invitations via email to individuals we believe would be interested in attending….The legitimate invitation emails from Palo Alto Networks did not carry any attachments.”

The file name contains the first portion of the subject of the legitimate invitation emails that Palo Alto sent out, suggesting the Operation Lotus Blossom actors received the email themselves.

Palo Alto was able to determine that the threat actor used Microsoft Word to crop the images from screenshots that the actor took, which offered insight into the threat actor’s system.

“The threat actor is running Windows localized for Chinese users, which suggests the actor’s primary language is Chinese,” Falcone said. “The ‘CH’ icon in the Windows tray shows that the built-in Windows input method editor (IME) is currently set to Chinese. Also, the screenshot shows a popular application in China called Sogou Pinyin, which is an IME that allows a user to type Chinese characters using Pinyin. Pinyin is critical to be able to type Chinese characters using a standard Latin alphabet keyboard, further suggesting the threat actor speaks Chinese.”

Palo Alto has halted its email invitations, so users should disregard all new emails related to invitations to the conference.

Photo © Klagyivik Vikton

Source: Information Security Magazine