It is being reported that the group behind the Sanny malware attacks have made significant changes to the way it delivers their payload. Findings by security researchers has uncovered that the attackers have upgraded their delivery techniques when it comes to planting malware on systems via document attachments sent as part of spam and phishing campaigns.
The attackers, believed to be based in Korea, have targeted English and Russian-language diplomatic victims around the world since 2012. According FireEye’s report, written by researchers Sudeep Singh and Yijie Sui, the attacks are using both rigged Cyrillic and English-language Word files. The malicious file contains an embedded macro that, when enabled, triggers an infection chain that ultimately delivers to the Sanny malware payload. Travis Smith, Principal Security Researcher at Tripwire commented below.
Travis Smith, Principal Security Researcher at Tripwire:
“While the authors behind the malware are changing their tactics, the techniques they are leveraging are not novel compared to other pervasive malware. Unsolicited word documents containing macros have been used for a while, and something that every internet user should be trained to be wary of. By making the malware multi stage, endpoint security tools may have a more difficult time identifying it as malware. However, from a detection standpoint the attack is incredible noisy If the attack occurs on the company network. The amount of new files added to the OS in addition to rogue FTP outbound traffic can be a red flag in environments which have established baselines for their network.
Even though this specific attack is targeted, the general population has nothing new to be concerned about. The same recommendations about safe browsing habits still apply to keep yourself safe.”