An unnamed startup firm was expected to attract a lot of visitors from the oil and gas community after receiving sizeable new funding, making it a prime place to spy on the community’s computers.
One of the visitors, an employee from an unnamed industrial company, detected malicious software on the site and contacted cybersecurity provider Bromium Labs for further investigation.
“The user who visited this site was someone in a U.S. Fortune 1000 manufacturing company who was viewing this company after the announcement. This shows a classic end-to-end scenario of how such attacks proliferate organizations,” Rahul Kashyap Chief Security Architect & Head of Security Research at Bromium, told SCMagazine.com.
The malware Bromium identified was designed to leverage a certain software flaw that at the time was unpatched and had already been exploited in the wild.
To boot, the bad guys had programmed the malware to evade antivirus systems.
“It had obfuscation, anti-debugging, vm-detection, used an unpatched IE vulnerability and some classic social engineering tricks,” Kashyap said.
The commands took advantage of an “XMLDOM” weakness to look for Kaspersky and Trend Micro drivers on the victim's computer. Presumably, the attackers had tested the malware with those engines and were aware that those engines could detect it.
Eventually, the malware executed a series of website redirects, at the end of which was a site hiding the “Sweet Orange” hacking tool.