Kaspersky ICS CERT has uncovered a number of spyware campaigns targeting industrial enterprises. Operators of these campaigns hunt for corporate credentials, aiming to commit financial fraud or to sell them to other malicious actors.
Spearphishing emails with malicious attachments sent from compromised corporate mailboxes to their contacts.
The attackers use off-the-shelf spyware, but limit the scope and lifetime of each sample to the bare minimum
SMTP services of industrial enterprises are abused not only to send spearphishing emails but also to collect data stolen by spyware as a one-way C2.
Up to 45 % of all computers attacked appear to be ICS-related (and having access to the corporate email service).
Overall, we have identified over 2,000 corporate email accounts belonging to industrial companies stolen and abused as next-attack C2.
Many more (over 7K in our estimation) have been stolen and sold on the web or abused in other ways.
“Anomalous” spyware attacks
In 2021, Kaspersky ICS CERT experts noticed a curious anomaly in statistics on spyware threats blocked on ICS computers. Although the malware used in these attacks belongs to well-known commodity spyware families (such as AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, Lokibot, etc), these attacks stand out from the mainstream due to a very limited number of targets in each attack and a very short lifetime of each malicious sample, as shown in the red rectangle on the chart below.
Spyware samples blocked on ICS computers in H1 2021, by number of machines (targets) and number of days passed since first seen
The lifespan of the “anomalous” attacks is limited to about 25 days. And at the same time, th ..
Support the originator by clicking the read the rest link below.