Effective Social Engineering Matters More than Zero-Days


There's an interesting criminal campaign in progress against government targets in Ukraine. Note that we usually first see them there, and then they spread out to Western Europe and the US. So here is your heads-up.

It's not particularly advanced from a technical point of view. It doesn't rely on zero-days. And the actors behind the campaign don't seem to have a high level of technical skill.


They've shown considerable skill in picking their targets, using commodity malware, and baiting their phish-hooks with the kinds of document titles likely to attract a bite.

ESET researchers have analyzed three remote access tools used against government agencies in Ukraine. The tools are "Quasar," "Sobaken," and "Vermin." ESET describes the campaign as "criminal espionage" using RATs to access and exfiltrate sensitive files from government systems.

Quasar is an open-source remote access tool easily found on GitHub. Sobaken is closely related to Quasar, but in its case the commodity malware has been modified to have a smaller footprint by removing some functionality to leave room for additional evasive and anti-sandboxing techniques.

Vermin is a custom backdoor that first appeared in 2016. Like Quasar and Sobaken, it's written in .Net, with its code protected to some extent against analysis through the use of commercial or open-source protectors.

None of the three RATs are particularly sophisticated, but they're effectively constructed and intelligently deployed. They're spread principally by social engineering, with the payload typically carried by a maliciously crafted document transmitted as an attachment to an email.

According to ESET, the attackers' skills aren't especially advanced, and they don't appear to have access to zero-days. The file names in the attachments are designed to be attractive to the recipients.

Some examples the researchers provide are, as translated, "Directive on providing security for military personnel of Ukrainian Army and their family members," "A new draft of directive regarding verification of seizure," and "Purchasing department Don OVK. Increase of credit limit."

So the documents appear to be the sort of low-level policies and pre-decisional documents organizations often circulate by email. Once the payloads are in, the victims are subjected to audio recording, keylogging, password theft, and theft of files from USB drives that may be connected to the infected computer.

Some of the techniques are worth noting. One, for example, is their use of right-to-left override in Unicode filenames. Thus an executable with an xcod.scr extension can be coupled with a Word icon to look like a docx file.

Another technique is to disguise malicious content as a self-extracting RAR archive. The attackers flirted with steganography for a while, but then discarded that approach as unnecessary. Simpler methods worked fine.

The ESET researchers' conclusion is worth quoting: "The fact that the attackers successfully used relatively trivial techniques, such as sending RAR and EXE files by email (a bad practice, which still takes place among users) highlights the importance of securing the human factor in computer network protection."

This is the sort of social engineering to which any organization might find itself subjected. Some sound policies reinforced by interactive, new-school user security awareness training can help your employees become harder targets. ESET's research may be found here (PDF)

Today, your employees are frequently exposed to advanced phishing and ransomware attacks.

Here are the Top 5 reasons why you need to deploy new-school Security Awareness Training as soon as possible:  

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately their time is money too. They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. GDPR is a good example, we have compliance training ready in 24 languages.
  4. Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. Your organization must "scale security measures to reflect the threat".
  5. Board members' No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web.

Your users are your last line of defense. Find out how affordable creating a "Human Firewall" is.You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote for your organization now and be pleasantly surprised!

Get A Quote

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews