Cisco’s Talos researchers discovered the threat which sported unusual cyber features
NATO has been targeted by malware hiding in Microsoft Word document targeted at member governments of the intergovernmental military alliance in order to carryout reconnaissance and analysis.
Cisco’s Talos security research team identified the malware, noting it had several unusual features, such as the ability to avoid sandbox detection, exploit Adobe Flash, and swap out the malware payload with junk data to overload the resource pools of simplistic security devices.
Malware meets NATO
The Talos researchers noted that the malware campaign happened across Christmas and the New Year, and through analysis found that the Microsoft World document had a succession of embedded objects that enabled the execution of the malware payload through various stages, including forming a connection with a Command and Control server and targeting information on the victims machine to ascertain the version of the operating system and Adobe Flash it is running.
“The analysis of the Microsoft Office document shows an advanced workflow of infection. The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly,” the security researchers said.
“This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan.
“It’s important to note that the actor realised security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices. These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.”
So far, it appears that no-one in NATO has fallen victim to that hack attack, but the sophistication of the malware indicates that it has come from a skilled hacker or hacker collective, potentially with the backing of a state sponsor. However, as it currently stands this is simply speculation.
Are you a security pro? Try our quiz!