The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud.
Attackers are targeting industrial enterprises with spyware campaigns that hunt for corporate credentials so they can be used both for financial gain and to cannibalize compromised networks to propagate future attacks, researchers have found.
The campaigns use off-the-shelf spyware but are unique in that they limit the scope and lifetime of each sample to the bare minimum, according to researchers at Kaspersky ICS CERT who uncovered the campaigns.
Researchers dubbed the attacks “anomalous” because they veer from typical spyware attacks, Kaspersky’s Kirill Kruglov wrote in a report published this week on the SecureList blog. Attackers use spearphishing emails sent from compromised corporate mailboxes that include malicious attachments that deliver spyware, he explained.
The attackers use SMTP services of industrial enterprises not only to send spearphishing emails but also to collect data stolen by spyware as a one-way command-and-control (C2) so they can mount future attacks, Kruglov explained.
“We believe that initially stolen data is used by threat operators primarily to spread the attack inside the local network of the attacked organization (via phishing emails)