Symantec published a paper today titled “The Nitro Attacks: Stealing Secrets from the Chemical Industry.” The paper details research they did into a recent series of targeted attacks on industrial companies.
This “nitro” attack has an interesting blend of malware techniques that does show some ingenuity. It used a socially engineered email message with a malicious attachment.
While the malware component of the attack was a recycled version of the common remote access Trojan (RAT) PoisonIvy, it was often packaged in an encrypted archive to evade email gateway detection.
Nitro portrayed itself as a necessary Adobe Flash or anti-virus update, using your desire to be secure to trick you into installing the malware. Like many other targeted attacks that have come to light recently, this one attacks our weakest link, our humanity.
One of the behaviors of the Trojan was to collect password hashes from compromised Windows computers. If you haven’t already gotten the memo, it is an extremely bad idea to give your users administrative rights.
Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights. Simply restricting permissions would be enough to stunt the spread of an attack like this.
Additionally, the behavior of this malware is quite easy for HIPS or behavioral anti-virus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical.
The command and control for this Trojan was located on a virtual hosted server in the United States. Symantec’s investigation shows that the person who owns this instance, Covert Grove, is based in the Hebei region of China.
In too many high profile organizations, IT security and their users have an adversarial relationship. Additionally, IT often does not use the full capabilities of the tools they are purchasing out of fear of false positives.
Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren’t one of the victims, this is a great lesson on what you should be doing to protect against the next attack.
Creative Commons photo of Nitro courtesy of acme’s Flickr photostream.