Cybercriminals borrow from APT playbook in attack against PoS vendors
May 6, 2015
Lucian Constantin originally published on 5-5-15
Cybercriminals are increasingly copying cyberespionage groups in using targeted attacks against their victims instead of large-scale, indiscriminate infection campaigns.
This change in tactics has been observed among those who launch attacks, as well as those who create and sell attack tools on the underground market.
A recent example of such behavior was seen in a cybercriminal attack against vendors of point-of-sale systems that researchers from RSA documented last week.
The attackers sent emails to specific vendors impersonating small businesses such as restaurants. This technique, known as spear-phishing, is typically associated with advanced persistent threats (APTs)—highly targeted, customized attacks whose goal is usually long-term cyberespionage.
“I am emailing you because nobody from your company is returning my calls,” one of the malicious emails sent to a European PoS vendor reads. “I am having a problem with two of my terminals, getting random blue screens of death. Please give me a call. I have attached my business card!”
The attachment was a malicious Word document that attempted to exploit two Microsoft Office vulnerabilities—CVE-2014-1761 and CVE-2012-0158, the RSA researchers said in a blog post. The exploits were obfuscated to evade antivirus detection with a technique that hadn’t been seen before, they said.
According to researchers from FireEye, who also analyzed the attack, the exploit’s payload was a well-known computer Trojan known as Vawtrak that can steal passwords and digital certificates; log key strokes; take screen shots; and enable remote desktop access to infected systems.
Compromising the computers and networks of PoS vendors can prove highly valuable for attackers, because they can use such access to steal schematics, product configurations, customer lists and, more importantly, maintenance or remote support credentials.