Thursday, 9 October 2014

Cyber-espionage group Sednit attacks again

The infamous Sednit cyber-espionage group that has been attacking various financial institutions in the past has recently started to use a new exploit kit to distribute their malware, ESET research lab is reporting. Among the attacked websites is a large financial institution in Poland. ESET has uncovered that the group uses domains similar to those of existing websites related to the military, defence and foreign affairs to infect computers with their malware.

“We recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now,” says ESET researcher Joan Calvet.

ESET has in particular analysed redirections to the exploit kit from websites belonging to a large financial institution in Poland. In its attack, Sednit is misusing legitimate websites related to military and defence topics. During the exploit attack remotely-controlled malware with various malicious activities is being installed on the system. “This might be indicative of an ongoing campaign against those sectors,” adds Calvet.

In recent years, exploit kits have become a major method employed to spread crimeware, malware intended for mass-scale distribution to facilitate financial fraud and abuse of computing resources for purposes such as sending spam, bitcoin mining, credentials harvesting and other. Since 2012, ESET has observed this strategy is being used for espionage purposes as well in what has become known as “watering-hole attacks” or “strategic web compromises.” A watering-hole attack can be described as redirecting traffic from websites likely to be visited by members of a specific organisation or industry being targeted.

More details and screenshots of the Sednit threat can be found at ESET Ireland's blog.