Croatian government two months under cyber attack with never before seen malware
Government agencies targeted with never before seen malware payload named SilentTrinity.
Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services.
Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.
The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.
The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks.
The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. The second was SilentTrinity, another post-exploitation tool, similar to the first.
In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponized the SilentTrinity tool in an active malware distribution campaign.
While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks.
While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country's officials and government agencies. ■