In a new email-based campaign, a threat actor is very specifically targeting individuals who use Bloomberg’s industry-based services with various remote access trojans (RATs).
Cisco Talos Intelligence researchers who discovered the campaign think it most likely is an actor from an Arabic-speaking country.
According to a report posted on Wednesday, Cisco Talos researchers have been tracking the actor, whom they dubbed “Fajan,” since March. So far, they have collected a “relatively low volume” of samples and therefore, can’t say “whether the campaigns are carefully targeted or mass-spammed.”
“We believe this is the first time anyone’s documented Fajan’s operations in one place,” Cisco Talos researcher Vanja Svajcer said in the report.
Attacks start with an email sent to clients of Bloomberg BNA (now rebranded as Bloomberg Industry Group), which is a service aggregating news from various industries such as law, tax and accounting, and government and selling them to clients. The email claims to contain an invoice for clients but instead include an Excel spreadsheet that contains macro code that downloads the next payload or drops a JavaScript- or VB-based RAT.
The RAT “allows the attacker to take control over the infected system using HTTP over a non-standard TCP port.”
The scope of the campaign is small which most likely is because the attackers aim to test and improve their skills, Svajcer said.
Since attackers use RATs indicates that their goal is likely surveillance and data theft. Command and control servers were not active when researchers did their analysis, and they could not determine the campaign’s final aim.
One RAT from the campaign was NanoCore RAT, a commercial Trojan known since at least 2013.
Researchers observed the combination of VBA macro/RAT in about 60% of the attacks. The rest spread Excel with macro formulas that executed when the files were opened.
Analyzing the submissions on VirusTotal, researchers got some clues as to the portrait of the attacker:
“A number of similar scripts has been previously uploaded to VirusTotal and the authorship for them is claimed by an actor with a handle ‘Security.Najaf,’” Svajcer wrote. “This may imply the Fajan’s author origin to be Iraq, although it could also be just a coincidence or a false flag.”
