Attackers Wide Awake with New Spear-Phishing Siesta Campaign

A new targeted attack campaign is waking up multiple industries via spear-phishing emails, and it’s getting in by sleeping for a varied time period.

The new campaign, dubbed Siesta, was spotted sending out spear-phishing emails to executives of an undisclosed organization. The email, containing a file download link, was made to dupe executives into downloading a backdoor designed to sleep or wait for a certain period of time in their system. Once it wakes up, the backdoor then connects to malicious servers and lurks inside its target’s network.

Further Trend Micro research reveals that the malware used in the Siesta campaign targets multiple industries: consumer goods and services, energy, finance, healthcare, media and telecommunications, public administration, security and defense, as well as transport and traffic.

How Does the Siesta Attack Work?

“Attackers don’t always rely on complex techniques to get into an organization’s network. They can also use basic social engineering techniques to bait their victims,” says threat researcher Maharlito Aquino.

For Siesta, attackers spoofed the email address from someone within their target organization and used it to send out their emails. They also used their target organization’s name in creating the download link for their malicious.ZIP file containing the backdoor. This made the URL look legitimate.

The attackers went even further and disguised the zipped backdoor as one of the .PDF documents found on their target’s website. Executives who were unaware of these tricks were prone to downloading sleeping backdoors ready to download and execute other bad files.

Similar to most targeted attack campaigns, Siesta focuses on stealing information from high-value targets via tactics that can’t be easily traced.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.