Cyber espionage gang Poseidon poses as Windows experts

Custom malware developed by Poseidon could infect systems as old as Windows 95, according to Kaspersky Lab security experts

Imagine this scenario: Men dressed in sharp-looking suits show up and claim to know details of your business and its security problems. They are Windows networking experts and want to fix the issues that made a breach possible.

Except those suits aren't being helpful. Instead, they are likely from the Poseidon Group, a Brazilian cyber crime outfit that stealthily attacks organizations, steals information, and manipulates the victims into hiring them to secure the network, said Kaspersky Lab researchers Juan Andres Guerrero-Saade, Santiago Pontiroli, and Dmitry Bestuzhev at the Kaspersy Lab Security Analyst Summit. The group steals data from infected networks with a customized malware signed with digital certificates and containing a PowerShell agent.

Poseidon uses a combination of custom malware and spear phishing in English and Portuguese to steal information. The "treasure stealer" malware, also known as IGT, comes with a file deletion utility, a PowerShell agent, a SQL data compiler, and information gathering tools for stealing data such as user credentials, group management policies, and system logs.

PowerShell lets the attackers execute the commands and to look like normal network activity while poking around. The malware connects to a command-and-control server and sends information about the infected Windows system, such as the operating system version, username, and hostname.

"By doing this, the attackers actually know what applications and commands they can use without alerting the network administrator during lateral movement and exfiltration," the researchers said.

The Poseidon name reflects the fact the espionage group operates "on all domains: land, air, and sea," said Bestuzhev. Command-and-control servers have been found inside ISPs providing Internet services to ships at sea by hijacking satellites. Other command-and-control servers have been found inside ISPs providing traditional wireless connections. The group started hijacking satellites in 2013 to gain anonymity.

Windows experts on the prowl

The attackers focused on group management policy and domain rules to get to know the network and use the uncovered information to create the backdoor. After grabbing the data, the attackers delete the malware from the infected system. Since the malware has a very short life, Poseidon was able to evade detection for a long time. Researchers have found four versions of IGT so far.

The attackers used WRI files, which is associated with Microsoft Write, an old text editor found in older versions of Windows. The use of this obscure file extension was pretty clever, since many organizations specify their email policies to block attachments with extensions such as .exe. Very few administrators would think to block .wri, and most antivirus engines won't scan those files by default, the researchers said.

The malware was also capable of hooking into older Windows operating systems, as researchers found references to drivers and hotfixes for Windows NT and Windows 95. Some of the targets in Latin America were still using these ancient operating systems, the researchers said. This should be another reminder why organizations should not be using outdated systems. Attackers will find unsupported and insecure systems and exploit the security flaws. 

The attackers are "experts in all things Windows," said Bestuzhev.

The group sent highly targeted spear-phishing emails. In one attack against an energy company in Kazakhstan, the targeted individual was looking to hire someone for a very specialized position, and the attackers sent a message highlighting specific skills relevant to the role. Once the victim opened the attachment, the malware connected to the command-and-control server to launch the actual data-stealing malware.

Poseidon digitally signed its custom malware with rogue certificates. Researchers have found seven rogue certificates, and it appears the attackers sign the certificates with names of companies the target organization is likely to be familiar with.

Poseidon's business practices

The Poseidon Group is the very first commercial boutique cyber espionage group based out of Brazil. The fact that the malware executed only on Brazilian Portuguese Windows systems suggests Poseidon is based in Brazil so that attackers have close proximity to the organizations they plan to blackmail. The command-and-control servers were also based in Brazil. 

Linguistics provided another clue to Poseidon's location. The language used in the spear-phishing emails use speech patterns associated with Brazilian Portuguese, not the Portuguese spoken in Portugal, said Bestuzhev. The Windows commands showed language preferences that helped narrow the area down to northern Brazil.

Kaspersky researchers believe Poseidon is a commercial attack crew and not a state-sponsored actor. The group doesn't care about uncovering specific business secrets, only "treasures," or information the organization would consider important and the criminals can monetize.

For organizations that decline the security consulting offer, it won't be the last they hear from the group. If the company being blackmailed doesn't take up Poseidon's offer the first time, the group steals some more data and returns with a new offer at a later date.

"They wait a year to approach [you] again. 'Look what I found for you: Are you ready to work with me?'" said Bestuzhev.

Poseidon also uses the stolen data to further the other side of its business, incorporating the information in various "shadow, but still legal" activities, said Bestuzhev.

Kaspersky Lab researchers believe the group has been in operation since at least 2005 and has targeted at least 35 businesses across the financial, telecommunications, manufacturing, services, energy, and media industries. While victims have been found in the United States, France, Kazakhstan, United Arab Emirates, India, and Russia, Poseidon's primary focus is on Brazil-based organizations or multinational entities with operations in Brazil.

"Their techniques used to design attack components have evolved over the past 10 years," the researchers said. "The differences in various elements have made it difficult for researchers to correlate indicators and assemble the puzzle."

Copyright © 2016 IDG Communications, Inc.