Successful attacks make news but unsuccessful attacks are rarely reported, even when the implications of such attempts may be just as deadly. A case in point is the recent failed spear-phishing attempt against security company Digital Bond. Researchers studying this attempt have unearthed leads that points to a much larger campaign.
Last week, one Digital Bond employee received an email that impersonated the CEO of the company. Attached with the email was a.zip file that supposedly contained an old research paper published by the company. The alert employee could nip the attack in its bud.
Researchers analyzing the.zip file, which actually contained malware, found striking similarities with the Shady Rat campaign that was in vogue since 2006 until security major McAfee busted it last year.
Both Shady Rat and this attack used encoded commands obscured in otherwise normal Web pages, and attempted to gain a backdoor entry to the system. Both attacks shared the same command-and-control infrastructure, and both attacks had the malware hosted on research.digitalvortex.com. Once on a system, it was designed to create a backdoor and connect to a C&C server at hint.happyforever.com.
The group behind the attack on Digital Bond hacked web servers, mostly of universities, and hosted malicious configuration files there. They then deployed proxies such as HTran to redirect traffic to the real command and control server.
Shady Rat tracked mostly targeted US defense contractors, and with Digital Bond specializing in offering security solution to industrial control systems, the motive could be the same.