Marco Ramilli SWEED cybercrime actor is targeting precision engineering companies based in Italy. The attacker, pretended to be a customer, sent to the victim a email containing a Microsoft XLS file including real spear-parts codes, quantities and shipping addresses
SWEED cybercrime actor is targeting precision engineering companies based in Italy. According to Marco Ramilli, cyber security expert and founder of Yoroi-Cybaze, the sector is a very important business market in Europe. It includes developing mechanical equipment for automotive, railways, heavy industries and military grade technology. The attacker pretended to be a customer and sent to the victim a well crafted email containing a Microsoft XLS file including real spear-parts codes, quantities and shipping addresses. A very similar attack schema to MartyMCFly campaign. The message, coming from email@example.com, asks for an economic proposal reached specific email boxes belonging to purchasing department of a well-known company. This to quote the entire list of spear-parts included in an attached Excel document. The source address looks genuine, since belonging to a big company which frequently uses precision equipment machines in its production chain.
The cyber security expert: The attachment doesn’t hold Macro. But, there is a trick in the third object. Threat actor leverages CVE-2017-11882 vulnerability to execute remote code and inoculate prestezza.exe. The malware harvests information from registry keys in where vendors are used to save access credentials or access tokens
According to the cyber security expert, once the victims open up the document, he would actually see a “looking real” Microsoft Excel spreadsheet. It doesn’t hold Macro code and everything looks like real except for the third object included into the Excel file. But there is a trick: silently Object3 runs EquationEditor and exploits a memory corruption vulnerability executing code on the running host. Cybercrime actor, in fact, leveraged the CVE-2017-11882, a 17-year old memory corruption issue in Microsoft Office, to execute remote code. The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents. The code execution implements a Drop and Execute code by dropping a Windows PE file prestezza.exe. The malware harvests information from registry keys in where vendors are used to save access credentials or access tokens.
Yoroi’s founder believes that SWEED is behind the cyber attacks in Italy. There are many elements that suggest it
Ramilli reminds that Cisco Talos found a large number of ongoing malware distribution, including such notable as Formbook, Lokibot and Agent Tesla, could be related to a singular thread actor called “SWEED”. The cyber security expert find many similarities including original attack vectors, used Microsoft Office Exploit, implementation of LokiBot and victims type to “SWEED”. So he believes that this attack could also be attributed to the same cybercrime actor. Furthermore, the used techniques and the care of the overall attack, which included a study on the victim products reminds a more recent analysis made by Fortinet, so he believes it might be attributed to the same threat actor as well as the described attack. Finally the TTPs and communication schema in the attacks against Italian precision engineering companies are so close each other that it’s hard to believe in fortuity.
Photo Credits: Marco Ramilli