French Firms Rocked by Kasbah Hacker? (Mar 2, 2020)
A malware campaign targeting French critical infrastructure firms has been discovered by security researchers at HYAS. The malware network was first uncovered in 2018, and was identified as a version of “njRAT,” a Remote Access Trojan (RAT) which is a .NET backdoor commonly known for targeting victims in the Middle East. In a summary of their findings, HYAS researchers stated that, “twelve sectors of critical importance across four key areas of responsibility” were targeted in the campaign, including an automobile manufacturer, an electrical power company, a French bank, a hospital system, multiple nuclear research facilities, postal and transportation systems, and a railway company. The researchers believe these entities were compromised in a coordinated phishing campaign specifically targeting French infrastructure firms, and that the campaign is likely controlled by a group of adversaries based out of Morocco. HYAS notified French authorities, and requested the dynamic Domain Name System (DNS) provider to “sinkhole” the malware networks domains, redirecting any traffic to the researcher’s control server. According to the dynamic DNS provider, the email addresses used to register the malware network were associated with the domain of a legitimate business in Morocco, although it is unclear at the time of this writing if there is any malicious activity attributed to this business.
Recommendation: RATs are often detectable from host-based artifacts the RAT leaves behind, as well as the network traffic necessary for the attacker to exfiltrate data. Devices and networks should be secured with detection and prevention measures. Also, it is important to educate your employees on the risks of opening attachments and validating information from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.