fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Phishing Impersonates Shipping Giant Maersk to Push STRRAT Malware

Phishing Impersonates Shipping Giant Maersk to Push STRRAT Malware

A new phishing campaign using fake shipping delivery lures installs the STRRAT remote access trojan on unsuspecting victim’s devices.

Fortinet discovered the new campaign after spotting phishing emails impersonating Maersk Shipping, a giant in the global shipping industry, and using seemingly legitimate email addresses.

If the recipient opens the attached document, the macro code that runs fetches the STRRAT malware onto their machine, a powerful remote access trojan that can steal information and even fake ransomware attacks.

Also Read: 4 Reasons to Outsource Penetration Testing Services

Impersonating Maersk shipping emails

As seen in the header information of the phishing emails, the messages are routed through recently registered domains that increase the risk of being flagged by email security solutions.

The email claims to be information about a shipment, changes in delivery dates, or notices regarding a fictitious purchase and includes an Excel attachment or links to one that pretends to be the related invoice.

Example phishing email used in campaign
Example phishing email used in campaign
Source: Fortinet

In some cases, Fortinet’s analysts sampled emails that carried ZIP files that contained the STRRAT malware, so no intermediate dropper in the form of a document was used.

The actors have obfuscated the contained packages by using the Allatori tool to evade detection from security products.

The STRRAT infection begins by decrypting the configuration file, copying the malware into a new directory, and adding new Windows registry entries for persistence.

Function responsible for writing new Registry entries
Function responsible for writing new Registry entries
Source: Fortinet

The STRRAT threat

STRRAT malware first gathers basic information on the host system like the architecture and any anti-virus tools running on it and checks local storage and network capability.

Also Read: Vulnerability Assessment vs Penetration Testing: And Why You Need Both

In terms of its functionality, STRRAT can perform the following:

  • Log user keystrokes
  • Facilitate remote control operation
  • Grab passwords from web browsers like Chrome, Firefox, and Microsoft Edge
  • Steal passwords from email clients like Outlook, Thunderbird, and Foxmail
  • Run a pseudo-ransomware module to simulate an infection

This last part is interesting because no files are encrypted in the fake ransomware attack. As such, it’s most likely used to divert the victim’s attention away from the real problem, which is the exfiltration of data.

However, considering that this module essentially blows the cover of STRRAT, its presence and deployment is somewhat contradictory.

The pseudo-ransomware module
The pseudo-ransomware module
Source: Fortinet

Finally, the malware’s communication method isn’t very well optimized for stealthiness either.

“Examining that traffic in Wireshark shows STRRAT being exceptionally noisy. This is likely due to the C2 channel being offline at the time of the investigation,” explains Fortinet’s report

“In its effort to obtain further instructions, the sample attempts to communicate over port 1780 and 1788 at one-second intervals, if not more in some instances.”

C2 addresses spotted in the campaign
C2 addresses spotted in the campaign
Source: Fortinet

Trojans like STRRAT often go ignored for being less sophisticated and more randomly deployed. However, this phishing campaign demonstrates that lesser threats in circulation can still deliver damaging blows to companies.

The phishing emails used in this campaign blend very homogeneously with day-to-day corporate communications in companies that deal with shipments and transportation, so it only takes a tired or careless employee for the damage to be done.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us