Korean Sanny Malware Targets Russian Industries
The attackers don't seem to be interested in hiding either the victims' identities or the nature of the stolen data.
FireEye researchers recently came across new malware called Sanny, which appears to be targeting Russia's space research, information, education and telecommunication industries.
"This particular attack is initiated by a malicious Microsoft Word document sample -- a fairly standard exploit vector," Infosecurity reports. "'One thing that is true in nearly all targeted attacks is that there is an aspect baked in which the cybercriminal gives the victim a decoy document,' the researchers explained. 'As a result, the victim is dissuaded from calling the computer helpdesk, thinking he/she got legitimate content. This attack is no different. To be clear, this clean, legitimate document is embedded inside the malicious document, and launched after the exploit is successful.'"
"FireEye believes that Korea might be behind this operation for various reasons," writes Softpedia's Eduard Kovacs. "For one, the SMTP mail and the command and control serversused by the malware are located in Korea (it’s not specified which Korea). Furthermore, the fonts from the bait document are Batang and KP CheongPong, which are also Korean."
"What makes the campaign unique is that the purveyors don't seem interested in hiding their stolen data, which includes credentials, as well as information about where victims are located," writes SC Magazine's Dan Kaplan. "The fraudsters set up their command-and-control center to run on a public Korean message board, the researchers said."
"While all of the attack’s victims are visible in plain-text, the stolen data is encoded and sent to the C+C server via HTTP POST where it's monitored and deleted what appears to be every two days," writes Threatpost's Christopher Brook. "'It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the CnC server. In the last five days, the attacker collected and deleted the data three times approximately after every two days,' according to FireEye."