{"id":4390,"date":"2022-01-21T18:24:30","date_gmt":"2022-01-21T12:54:30","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=4390"},"modified":"2022-01-21T18:24:33","modified_gmt":"2022-01-21T12:54:33","slug":"anomalous-spyware-hijacking-credentials-in-industrial-organizations","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/","title":{"rendered":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations"},"content":{"rendered":"\n
Investigators have revealed some spyware operations that target industrial enterprises, targeting to hijack email account credentials and conduct financial fraud to resell them to other attackers. The attackers utilize off-the-shelf spyware tools but only set up each variant for a very limited time to avoid detection. Some examples of commodity malware utilized in attacks include AgentTesla\/ Origin Logger, HawkEye, Noon\/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.<\/p><\/p>\n\n\n\n
Another Anomalous Attack<\/strong><\/h2>\n\n\n\n
Our security researchers call these spyware attacks \u2018anomalous\u2019 because of their very short-lived nature compared to what is considered typical in the field. More specifically, the lifespan of the attacks is limited to roughly 25 days, whereas most spyware operations last for some months or even years.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
The number of attacked systems in these campaigns is always below one hundred, half of which is ICS (integrated computer systems) machines deployed in industrial environments. Another unusual element is using the SMTP-based communication protocol for exfiltrating data to the actor-controlled C2 server.<\/p><\/p>\n\n\n\n
Unlike HTTPS, which is used in most standard spyware campaigns for C2 communication, SMTP is a one-way channel that caters only to data theft. SMTP isn\u2019t a common choice for threat actors because it can\u2019t fetch binaries or other non-text files, but it thrives through its simplicity and ability to blend with regular network traffic.<\/p><\/p>\n\n\n\n
Hijacking credentials to further the infiltration<\/strong><\/h2>\n\n\n\n
The actors use stolen employee credentials that they acquire via spear-phishing to infiltrate deeper and move laterally in the company\u2019s network. Moreover, they use corporate mailboxes compromised in previous attacks as C2 servers to new attacks, making the detection and flagging of malicious internal correspondence very challenging. <\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
\u201cCuriously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them \u2018invisible\u2019 among all the garbage emails in spam folders.\u201d – explains the researcher\u2019s report.<\/p><\/p>\n\n\n\n
In terms of numbers, the analysts identified at least 2,000 corporate email accounts abused as temporary C2 servers and another 7,000 email accounts abused in other ways.<\/p><\/p>\n\n\n\n
Selling on dark web markets<\/strong><\/h3>\n\n\n\n
Many of the email RDP, SMTP, SSH, cPanel, and VPN account credentials stolen in these campaigns are posted on dark web marketplaces and eventually sold to other threat actors.<\/p><\/p>\n\n\n\n
According to our expert\u2019s statistic analysis, around 3.9% of all RDP accounts sold in these illegal markets belong to industrial companies. RDP (remote desktop protocol) accounts are precious to cybercriminals because they allow them to remotely access the compromised machines and directly interact with a device without raising any red flags. Generally, these listings begin the interest of ransomware actors who use RDP access to deploy their devastating malware.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
Investigators have revealed some spyware operations that target industrial enterprises, targeting to hijack email account credentials and conduct financial fraud to resell them to other attackers. The attackers utilize off-the-shelf spyware tools but only set up each variant for a very limited time to avoid detection. Some examples of commodity malware utilized in attacks include AgentTesla\/ […]<\/p>\n","protected":false},"author":2,"featured_media":4392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\n
\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Investigators have revealed some spyware operations that target industrial enterprises, targeting to hijack email account credentials and conduct financial fraud to resell them to other attackers. The attackers utilize off-the-shelf spyware tools but only set up each variant for a very limited time to avoid detection. Some examples of commodity malware utilized in attacks include AgentTesla\/ […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-21T12:54:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-21T12:54:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-faetured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations\",\"datePublished\":\"2022-01-21T12:54:30+00:00\",\"dateModified\":\"2022-01-21T12:54:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\"},\"wordCount\":442,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\",\"url\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\",\"name\":\"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2022-01-21T12:54:30+00:00\",\"dateModified\":\"2022-01-21T12:54:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/","og_locale":"en_US","og_type":"article","og_title":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited","og_description":"Investigators have revealed some spyware operations that target industrial enterprises, targeting to hijack email account credentials and conduct financial fraud to resell them to other attackers. The attackers utilize off-the-shelf spyware tools but only set up each variant for a very limited time to avoid detection. Some examples of commodity malware utilized in attacks include AgentTesla\/ […]","og_url":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2022-01-21T12:54:30+00:00","article_modified_time":"2022-01-21T12:54:33+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-faetured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations","datePublished":"2022-01-21T12:54:30+00:00","dateModified":"2022-01-21T12:54:33+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/"},"wordCount":442,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/","url":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/","name":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2022-01-21T12:54:30+00:00","dateModified":"2022-01-21T12:54:33+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/anomalous-spyware-hijacking-credentials-in-industrial-organizations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"\u2018Anomalous\u2019 Spyware Hijacking Credentials in Industrial Organizations"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4390"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=4390"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4390\/revisions"}],"predecessor-version":[{"id":4398,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/4390\/revisions\/4398"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/4392"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=4390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=4390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=4390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-image1-2.png\")
<\/figure><\/div>\n\n\n\n![\"Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2022\/01\/Anomalous-Spyware-Hijacking-Credentials-in-Industrial-Organizations-image2-1-856x1024.png\")
<\/figure><\/div>\n\n\n\n