Service Attack- A phishing campaign targeting utility grid operators uses a PDF attachment to deliver spyware.
A phishing campaign that spoofs a PDF attachment to deliver Adwind spyware has been taking aim at national grid utilities infrastructure.
Adwind, a.k.a. JRAT or SockRat, is being used in a malware-as-a-service model in this campaign, researchers said. It offers a full cadre of info-gathering features, including the ability to take screenshots, harvest credentials from Chrome, Internet Explorer and Microsoft Edge, record video and audio, take photos, steal files, perform keylogging, read emails and steal VPN certificates.
“Critical infrastructure facilities are high-risk targets, and the fact that Adwind is available as a paid service is very concerning,” Bob Noel, vice president of strategic relationships for Plixer, told Threatpost. “Anyone willing to pay can target utilities, and when successful, they have the ability to collect keystrokes, steal passwords, grab screenshots, take pictures from the web camera, record sound, etc. If infected end users have access to critical system information, it could be stolen and used in an attempt to attack the facility.”
The phishing email was sent from a hijacked account at Friary Shoes, according to Milo Salvia, researcher at Cofense. It merely says, “Attached is a copy of our remittance advice which you are required to sign and return,” with an embedded button purporting to point to a PDF file.
When a victim clicks on the button though, they’re redirected to a malicious web address; Salvia wrote in an analysis Monday that the cybercriminals are abusing the Fletcher Specs domain to host the malware. Once the victim lands there, a payload is automatically downloaded to the target machine.