A Phone Call, a Phish, and a Remote Access Trojan

In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French and asked the victim to process an invoice that they were to receive in an email.

Here is an example of an email that was received during one of the attacks. The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT).


Figure 1. Spear phishing attack email

There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email. The attacks are currently localized to French organizations but have also included subsidiaries that operate outside of France.


Figure 2. Number of organizations compromised in each country

The attacker is well prepared and has obviously obtained the email address and phone number of the victim prior to the attack. The victims of these attacks generally tend to be accountants or employees working within the financial department of these organizations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing. Each element of this attack requires careful planning and contributes to the overall success rate of the attack.


Figure 3. Attack event cycle

It appears that the attacker’s motivation here is purely financial. Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organization; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information. The employees would also provide a useful source of information to use in subsequent social-engineering attacks. Invoices and contract agreements would provide the attacker with all of the elements (email, phone, and relevant purchase/sales agreements) to continue executing these well prepared attacks.

These attacks are continuing to this day and organizations should be aware of these increasingly sophisticated social-engineering attacks. The attacker may have limited information, so asking additional questions on a call may help to determine the legitimacy of the request. Organizations also need to be aware that personally identifiable employee information that exists outside of your enterprise, even in the form of an invoice, can be used against you if a business associate becomes compromised. Employees working with very sensitive information should store this in a secure location, ensure that it is encrypted, and only access it from a fully patched computer with adequate security solutions in place.

The Trojan used in these attacks is W32.Shadesrat, a Remote Access Trojan (RAT). W32.Shadesrat (a.k.a. Blackshades) is used by a variety of attackers of varying skill levels. A publically available Trojan, it can be licensed for as little as $40-$100 a year. In June 2012, as part of a global sting operation carried out by the FBI, one of the contributors to the Blackshades project, Michael Hogue (a.k.a. xVisceral), was arrested. However, this RAT is still under active development and clearly shows no indication of going away any time soon.


Figure 4. Unique W32.Shadesrat infections, top 10 countries