Positive Terchnologies: Croatia suffered waves of cyber attacks with a new malware: SilentTrigger via spear-phishing campaign
Croatia has been hit by a wave of state-sponsored cyber attacks with a new malware: SilentTrinity. The malicious code can take control over an infected computer, and allows to execute arbitrary commands. It has been discovered by Positive Technologies cyber security experts. According to the researchers, between February and April, hackers have launched a spear-phishing campaign against government agencies. The messages posed as delivery notifications from the Croatian postal or other retail services, and they included a Microsoft Excel saved in the old .xls format and compiled the previous day. The document was weaponized with a malicious macro. Once the victim has enabled it, the malicious code (Empire backdoor) will download and execute the malware on the targeted machine.
The cyber security experts: The malicious code comes from the IronPython project
According to the cyber security experts, SilentTrinity comes for the IronPython project uploaded on GitHub in October 2018 by Marcello Salvati. Contact is made with the C2 server to download a ZIP archive with necessary dependencies and main Python script. The archive contents are extracted, without being saved to disk, and dependencies are registered for properly handling Python scripts. The main Python script runs and waits for a task from the attacker, while each task is sent as a ready-to-run Python script. The task is run on the victim’s system in a separate thread and the result is sent back to the C2 server. The attack against Croatia was also spotted by experts at Information Systems Security Bureau (ZSIS) that issued two alerts. The Croatian Post also has already taken steps to remove take down the malicious web sites and servers involved in the attacks.