Spear-Phishing Attacks

Where once attackers were content to simply deface a website or gain notoriety through mass system disruption, they now realize that they can make significant money, steal important data, or interfere with major infrastructure systems via cyber warfare instead.

A targeted attack is a long-term cyber-espionage campaign against a person or organization to gain persistent access to the target network. This allows them to extract confidential company data and possibly damage the target network. These compromised networks can be used for attacks against other organizations, making it harder to trace the attack back to its originator.

Spear-Phishing Attacks

Spear-phishing attacks combine phishing attacks and targeted malware. Attackers send spear-phishing messages to a few targeted employees with crafted email messages masquerading as legitimate recipients, possibly a boss or colleague. These spear-phishing messages likely contain a link to a malicious website or a malicious file attachment. A file attachment can exploit vulnerabilities in Microsoft™ Word™, Excel™, and Adobe™ products. The file attachment can also be a compressed archive containing executable files. When a recipient opens the file attachment, malicious software attempts to exploit the system. Often, to complete the ruse, the malicious software launches an innocuous document that appears benign.

Once the malicious software runs, it lies dormant on a system or attempts to communicate back to a command-and-control (C&C) server to receive further instructions.

C&C Callback

The following actions usually occur when malicious software installs and communicates back to a C&C server:

  • Software called a "downloader" automatically downloads and installs malware.

  • A human monitoring the C&C server (attacker) responds to the connection with an action. Software called a "remote access Trojan" (RAT) gives an attacker the ability to examine a system, extract files, download new files to run on a compromised system, turn on a system’s video camera and microphone, take screen captures, capture keystrokes, and run a command shell.

Attackers will attempt to move laterally throughout a compromised network by gaining additional persistent access points. Attackers will also attempt to steal user credentials for data collection spread throughout the network. If successful, collected data gets exfiltrated out of the network to another environment for further examination.

Attackers move at a slow pace to remain undetected. When a detection occurs, they will temporarily go dormant before resuming activity. If an organization eradicates their presence from the network, the attackers will start the attack cycle all over again.