Iceman gang member
confirms that they are behind the introduction and spreading of
malwares that have affected Crystal Finance Millennium, a
Ukraine-based accounting software firm. Was this a political based
attack? Read more to find out.
I’ve had a chance
to speak to one of the gang member on XMMP and he confirmed that the
Iceman group is behind this attack. They started by a simple web
attack (SQLI which lead to web shell upload, no privilege escalation
was needed) in order to gain access to the web servers of the
company. He confirmed that the math was simple, the Ukrainian company
had many clients in the financial and medical sector which
facilitated the propagation of their malware. From the archived web
page, it becomes apparent they provide accounting software,
personalization of medical records, blood service and "full
automation of the doctor's office" - contrary to what their
company name suggests, it appears they are (mostly) focused on
medical software.
The group sent
phishing emails to various targets based in Ukraine and former soviet
countries. The emails contained a ZIP file that, in turn, contained a
JavaScript file. When users unzipped the archive and ran the JS file,
the script would download a file named load.exe from the CFM's web
server.
The loader (load.exe
file) will later on download a Purge ransomware that was modified for
that operation by the Iceman group. According to the gang, each
target was treated individually to maximize profit. Sometimes they
would run a ransomware program and sometimes they would run a banking
Trojan. “When you sophisticate your attack, you can drain the
sharks” - he said.
An inclusive
interview is in the making to unveil the course of this attack. It
will be released in the upcoming weeks.
Comments
Post a Comment