Attack vector
The threat group uses a never seen before malware toolkit named MT3, which has a set of C++ modules, including a loader, kernel, HttpTransport, and LinkUpdate.
The malware toolkit uses custom steganography and multiple encryption schemes, such as 3DES and RSA algorithms.
The threat actors use a self-extracting archive (SFX) inside the RAR file to spread their initial loader module. The loader hides itself using steganography.
The operating technique
The malware modules are delivered via emails that have savvy lures related to employee contact lists, technical documentation, and medical test results to fool industrial employees into downloading it.
Further, the malware uses a modifier for Windows Quick Launch to gain persistence on the infected system, in which a user unknowingly executes the initial module whenever they run legitimate applications.
Recent attacks
Being targeted by APTs is a bit rare for industrial organizations. However, several other threat groups have been observed doing this in recent times.
Recently, an APT-style cyberespionage campaign had been found to be targeting an international architectural and video production company via a third-party MAXScript exploit PhysXPluginMfx.
In August, Russian hackers were found targeting the networks of critical infrastructure providers and organizations in the energy sector.
Conclusion
Threat groups are now changing their tactic and ..
Support the originator by clicking the read the rest link below.