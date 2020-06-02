The attackers used malicious documents and various techniques to make it difficult to detect and analyze their malware, including steganography.

TO early 2020, a number of cyber attacks directed against industrial business in various regions of the world.

According to the latest findings of Kaspersky ICS CERT, these attacks focused on systems located in Japan, Italy, Germany and the United Kingdom and targeted equipment and software providers for industrial companies.

Research has shown that attackers used malicious documents Microsoft Office, PowerShell scripts and various techniques to make it difficult to detect and analyze your malware, including steganography, an ingenious technology for hiding data that conceals messages within digital files.

Attacks targeting industrial targets organically attract the attention of the cybersecurity since they are complex and focus on critical value sectors. Any interruption in their work could lead to various unintended consequences, from industrial espionage to comprehensive financial losses.

The series of attacks examined was no exception. Emails from phishingUsed as the initial attack vector, they were adapted and personalized according to the language of each victim.

The malware used in this attack carried out destructive activity only if the operating system matched the language used in the phishing email.

For example, in the case of an attack on a company in Japan, the text of the phishing email and the document of Microsoft Office containing a malicious macro were written in Japanese. Furthermore, to successfully decrypt the malware module, the operating system must also be localized in Japanese.

A more detailed analysis has shown that the attackers used the utensil Mimikatz to steal authentication data from Windows accounts stored on a compromised system.

This information can be used by attackers to gain access to other systems within the business network and to develop attacks. This situation is particularly dangerous when attackers gain access to accounts that have administrator rights to the domain.

With information from López-Dóriga Digital