‘Anomalous’ Spyware Stealing Data In Industrial Firms

Share post:

Researchers have detected various spyware campaigns targeting industrial enterprises. These spyware campaigns steal email account credentials, perform financial fraud or resell them to others.

The threat actors utilize off-the-shelf spyware tools but deploy each variant for a very limited time to avoid being detected.

Some examples of commodity malware used in attacks are AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot.

Kaspersky considers these attacks ‘anomalous’ due to their very short-lived nature. The lifespan of these attacks is estimated to only be 25 days, whereas most spyware campaigns last for months or even years.

The threat actors use employee credentials stolen through spear-phishing to infiltrate deeper and move laterally in the compromised network.

They also use corporate mailboxes breached during past attacks as C2 servers to new attacks. This makes the detection of malicious internal correspondence very difficult.

Many of the email RDP, SMTP, SSH, cPanel, and VPN account credentials stolen in these attacks are sold to other threat actors in the dark web marketplace.

Furthermore, Kaspersky’s statistical analysis shows that 3.9% of all RDP accounts sold in these illegal markets were from industrial companies.

RDP (remote desktop protocol) accounts are extremely vital to cybercriminals because these provide them with remote access to the compromised machines and directly control a device without getting detected or flagged.

For more information, read the original story in BleepingComputer.

Featured Tech Jobs


Related articles

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Abuse of valid accounts by threat actors hits a high, says IBM

Attackers are finding that obtaining valid credentials is an easier route to achieving their goals, s

Cyber Security Today, Feb. 21, 2024 – A patch warning from ConnectWise, the latest ransomware news, and more

This episode reports on a report comparing business email compromise attacks against ransomware

UK leads takedown of LockBit ransomware gang’s website

The LockBit ransomware gang’s website has been seized, several news agencies reported late Monday. The Reuters news agency and The Register are carrying stories based on a new splash screen that has appeared on the gang’s website. It says, “This site is now under the control of the National Crime Agency of the UK, working

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways