Pawn Storm Espionage Attacks Use Decoys, Deliver SEDNIT

Operation Pawn Storm Using Decoys to Evade Detection View research paper: Operation Pawn Storm Using Decoys to Evade Detection

This Trend Micro research paper unravels a series of attacks that targets military officials as well as various defense contractors. Dubbed as “Operation Pawn Storm,” the group of connected threat actors use three known attack vectors: spear phishing emails that carry multistage malware, a network of phishing websites that use typosquatted domains and a clever but simple OWA trick to fool victims, and malicious iframes injected into legitimate websites.

The first attack vector: Spear Phishing Emails
In the first attack vector, the group of attackers appears to have used spear phishing emails with a malicious document attached. The malicious document would then drop a multistage malware that logs and gathers information about its target victims.

[Read: How Operation Pawn Storm use SEDNIT malware to infiltrate military, government and media targets]

It also appears that the timing of these emails were crucial in carrying out this attack vector: emails were sent out to recipients days or weeks ahead of certain political events and meetings around the world, such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014. These emails were sent out to employees of defense contractors and government agencies, who might be interested in the upcoming conferences and exhibitions.

The second attack vector: Phishing Websites
We uncovered that the attackers behind Operation Pawn Storm have additionally built a network of phishing websites and corporate Outlook webmail accounts access through the use of incorrect or typo squatted domain names (for example: original site is versus the phishing site Typo squatting is a technique also used to fool victims into thinking that the domains are legitimate, thus giving the attackers the opportunity to collect their victims' corporate credentials. Targets are led to typo squatted domain names that resemble a legitimate news site or a site for a conference through spear phishing e-mails (without malicious attachments). When the e-mails get opened in Outlook Web Access (OWA) in the preview pane, targets are likely to fall victim of advanced phishing.

[More: How Operation Pawn Storm puts Outlook Web Access users at risk]

The third attack vector: Malicious iframes
In operation Pawn Storm malicious iframes pointing to very selective exploits have been seen injected into Polish government websites. For selected targets the exploits led to Sednit installations as well.

For a more detailed and in-depth analyses of Operation Pawn Storm, read the full research paper “Operation Pawn Storm Using Decoys to Evade Detection.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.