According to Trend Micro, attacks related to this campaign have infected computers belonging to businesses, governments and other organizations in more than 100 countries around the world.
Trend Micro security researchers have uncovered the existence of a still-active cyber espionage operation that has so far compromised computers belonging to government departments, technology companies, media, academic research institutions, and government departments. non-governmental organizations from more than 100 countries. The operation, dubbed Safe by Trend Micro, uses phishing to trick potential victims into emails with malicious attachments. Researchers from the security company have dissected how the operation works and published their findings in a document.
Their investigation reveals that the operation relies on two groups of command and control (C&C) servers that are apparently used to carry out two separate attack campaigns with different objectives, but spreading the same malware. In the first phishing campaign, the emails, with the subject of Tibet and Mongolia, came with a .doc attachment that exploited a vulnerability in Word patched by Microsoft in April 2012. According to logs collected by Trend Micro on the C&C servers, 243 computers – each with a unique IP address – from 11 different countries were infected. However, the researchers found that only three IP addresses, located in Mongolia and South Sudan, were still active at the time of the investigation.
India and the United States lead the victims
The logs of the C&C servers used for the second attack campaign made it possible to count 11,563 unique IP addresses in 116 different countries. But, according to Trend Micro researchers, the actual number of victims is likely much lower. On average, 71 victims actively communicated with these command-and-control servers at some point during the investigation, they said. The emails used for this second round of attacks have not been identified, but the campaign appears to have had a greater reach and the victims are more geographically dispersed. The first five countries in number of victims are India, the United States, China, Pakistan, the Philippines and Russia.
Malware installed on infected computers is primarily intended to steal information, but its action can be extended with additional modules. The researchers thus found on the command and control servers particular components in the form of plug-ins, and ready-to-use programs that can be used to extract the passwords saved in Internet Explorer and Mozilla Firefox, as well as information Remote Desktop Protocol credentials stored in Windows. It is always difficult to know the intentions and the identity of the assailants. However, we can say that the Safe campaign malware was developed by a professional software engineer and he may be related to cybercriminal groups located in China, the document published by the researchers reads. from Trend Micro who add: The individual was educated at a leading technology university in that same country and appears to have had access to an Internet service company’s source code repository.
The IP addresses used to communicate with the C&C servers have been located in several countries, but mainly in China and Hong Kong, as the researchers point out. Attacks also use VPN and proxy tools, such as Tor, which account for the geographical diversity of IP addresses.