Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The attackers have now targeted critical design data and drawings.
In early July, Kaspersky Lab reported a new wave of targeted attacks, where attackers sent malicious files under the guise of documents in order to collect confidential information from computers of various companies. Since then, the company has continued to monitor the activity of the group known as Librarian Ghouls and identified changes in their tactics.
While the methods and tools used by the grouping remain the same, their goals and the format of the data they collect have changed. In July, attackers were found to be sending malicious files with the . SCR files hidden under the name of a document simulating a UAV report. Now their interest has become wider. Instead of focusing solely on office documents and data from the Telegram messenger, they began to target files related to programs for modeling and developing industrial systems.
The attack methods remain the same: malicious files are still distributed as RAR archives with fake documents in the . SCR. If the victim opens such a file, the malware downloads additional malicious components to the computer, collects the data of interest and sends it to the attackers' server. In August and early September, new file names are used, such as "Out_09_04_2024_No6_3223_Organizations_by_Visualization_EP.scr" and "Project TTT 27.08.2024-2.scr".
The headers of malicious emails often refer to urgent requests or reports, making them more attractive to potential victims. In August and early September, topics such as "On the maintenance of the Catalog of the Russian Electronic Component Bureau (6-3223 of 08/30/2024)" and "Urgent request of the CP from the Military Mechanics" were used. These headers help attackers increase the likelihood that their emails will be opened.
One of the key innovations was the expansion of the list of data collected. Several extensions typical of highly specialized software have now been added to the list of files collected by the malware for sending:
The target audience of the attacks has been expanded to include enterprises engaged in design and development in various industries. Research institutes, companies in the rocket and space and aviation industries, as well as enterprises operating in the field of gas processing, petrochemistry and defense are at risk. Particular attention is paid to manufacturers of equipment, communication and radar systems, automotive components, automated process control systems and semiconductor devices.
Source
In early July, Kaspersky Lab reported a new wave of targeted attacks, where attackers sent malicious files under the guise of documents in order to collect confidential information from computers of various companies. Since then, the company has continued to monitor the activity of the group known as Librarian Ghouls and identified changes in their tactics.
While the methods and tools used by the grouping remain the same, their goals and the format of the data they collect have changed. In July, attackers were found to be sending malicious files with the . SCR files hidden under the name of a document simulating a UAV report. Now their interest has become wider. Instead of focusing solely on office documents and data from the Telegram messenger, they began to target files related to programs for modeling and developing industrial systems.
The attack methods remain the same: malicious files are still distributed as RAR archives with fake documents in the . SCR. If the victim opens such a file, the malware downloads additional malicious components to the computer, collects the data of interest and sends it to the attackers' server. In August and early September, new file names are used, such as "Out_09_04_2024_No6_3223_Organizations_by_Visualization_EP.scr" and "Project TTT 27.08.2024-2.scr".
The headers of malicious emails often refer to urgent requests or reports, making them more attractive to potential victims. In August and early September, topics such as "On the maintenance of the Catalog of the Russian Electronic Component Bureau (6-3223 of 08/30/2024)" and "Urgent request of the CP from the Military Mechanics" were used. These headers help attackers increase the likelihood that their emails will be opened.
One of the key innovations was the expansion of the list of data collected. Several extensions typical of highly specialized software have now been added to the list of files collected by the malware for sending:
- . SLDPRT - files of the SolidWorks computer-aided design system used for industrial design, in particular for 2D and 3D modeling of parts and assemblies;
- .cdw is a CAD format of the Russian KOMPAS-3D, also used to model parts and assemblies;
- .m3d is a universal format used by various programs to create three-dimensional models of objects;
- .dwg is a file format used to store two-dimensional and three-dimensional design data and metadata. In particular, it is used by such CAD software packages as AutoCAD, CorelCAD and others.
The target audience of the attacks has been expanded to include enterprises engaged in design and development in various industries. Research institutes, companies in the rocket and space and aviation industries, as well as enterprises operating in the field of gas processing, petrochemistry and defense are at risk. Particular attention is paid to manufacturers of equipment, communication and radar systems, automotive components, automated process control systems and semiconductor devices.
Source
