Blue Coat Exposes “The Inception Framework”
Date: Dec 10, 2014
Guest post: Blue Coat Labs.
Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs
Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers.
Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious.
Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials.
The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents.
Command & Control traffic on the Windows platform is performed indirectly via a Swedish cloud service provider using the WebDAV protocol. This hides the identity of the attacker and may bypass many current detection mechanisms.
The attackers have added another layer of indirection to mask their identity by leveraging a proxy network composed of routers, most of which are based in South Korea, for their command and control communication. It is believed that the attackers were able to compromise these devices based on poor configurations or default credentials.
Based on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between attacker and target, it is clear the attackers behind Inception are intent on staying in the shadows.
The framework continues to evolve.
Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals.
To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher.