Kaspersky Lab Exposes the Poseidon Group 291 0 Kommentare A Commercial Malware Boutique Operating on Land, Air and Sea

LONDON, February 11, 2016 /PRNewswire/ --

First ever publicly-known Brazilian Portuguese-speaking campaign targeting financial institutions as well as telecommunications, manufacturing, energy and media companies

Kaspersky Lab's Global Research and Analysis Team has announced the discovery of the Poseidon Group, an advanced threat actor active in global cyber-espionage operations since at least 2005. What makes the Poseidon Group stand out is that it's a commercial entity, whose attacks involve custom malware digitally signed with rogue certificates deployed to steal sensitive data from victims to coerce them into a business relationship. In addition, the malware is designed to function specifically on English and Brazilian Portuguese Windows machines, a first for a targeted attack.

At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms. Kaspersky Lab experts have also detected attacks on service companies that cater to top corporate executives. Victims of this group have been found in the following countries:

United States
France
Kazakhstan
United Arab Emirates
India
Russia

However, the victim spread is heavily skewed towards Brazil, where many of the victims have joint ventures or partner operations.

One of the characteristics of the Poseidon Group is an active exploration of domain-based corporate networks. According to Kaspersky Lab's analysis report, the Poseidon Group relies on spear-phishing e-mails with RTF/DOC files, usually with a human resources lure, that drop a malicious binary into the target's system when clicked on. Another key finding is the presence of Brazilian-Portuguese language strings. The Group's preference for Portuguese systems, as revealed by the samples, is a practice that has not previously been seen.

Once a computer is infected, the malware reports to the command and control servers before beginning a complex phase of lateral movement. This phase will often leverage a specialised tool that automatically and aggressively collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of the malware. By doing this, the attackers actually know what applications and commands they can use without alerting the network administrator during lateral movement and exfiltration.