Remote Access Trojans (RATs) according to a new report published by researchers at Cisco Talos.
The relatively few emails that have been intercepted have made it difficult to determine whether this campaign, dubbed Fajan, uses spray and pray tactics of if the emails are more targeted. The small scale of the campaign suggests the attackers are attempting to hone their skills and are actively maintaining and developing functionality to make the campaign more successful.
The emails have been sent to clients of Bloomberg Industry Group (Formerly Bloomberg BNA), which aggregates news content for various different industries such as tax/accounting, law, and government to sell to clients. The intercepted emails use an invoice-based lure with a Microsoft Excel spreadsheet attachment that has a Bloomberg BNA-related name along with a sequence of numbers. The early messages sent in this campaign also included the body text of the email in a second attachment – an rtf file.
The spreadsheet has a macro which, if enabled, will download a malware dropper or the final payload, with that final payload being either a JavaScript or Visual Basic-based RAT. If the RAT is downloaded, the attackers gain full control of the system using HTTP over a non-standard TCP port.
The researchers were not able to determine the final objective of the campaign as the command and control servers used by the RATs were non-responsive at the time of analysis, but the researchers suggest that the fact that RATs are being delivers suggests the aim of the attacks is surveillance and data exfiltration.
Several different RATs are being delivered, including the NanoCore RAT, which first appeared in 2013 and is still widely used by cybercriminals. The researchers believe the threat group behind this phishing campaign come from an Arabic-speaking country, with the campaign named based on a string identified in a sample VB script. The researchers believe that based on similar scripts uploaded to VirusTotal, the owner operates under the handle Security.Najaf and is based in Iraq; however, they do say that this could be a false flag or simply a coincidence.