Handful of organisations in the UK hit by operation emanating from Russia and the Ukraine
A gang of Russian cyber criminals has been carrying out a large-scale cyber attack campaign against organisations including government and transport bodies, according to security firm WebSense.
Using the Mevade malware, which has a Tor command and control functionality to hide operations, the crooks went after entities in the US, UK, Canada and India, the security firm says. The campaign started around 23 July, and may also have involved actors in Ukraine were also involved.
Hundreds infected in cyber campaign
“This campaign has infected hundreds of organisations and thousands of computers worldwide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result highjacking,” Websense wrote in a blog post.
See below for a geographical breakdown of the cyber campaign, with targets in blue, and command and control infrastructure in red:
The malware appeared to use a number of tricks to evade detection outside of disabling anti-virus systems. It checked for the presence of the Sandboxie tool used by researchers to analyse malware as well as for Oracle VirtualBox services, indicating it would know if it was running in a virtual environment.
It also used a lightweight proxy called 3proxy so the attackers could get commands to run direct from the malware and on to a target network, Websense said.
“In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker’s infrastructure and initiate a backdoor directly into the target network (in this case, using SSL over port 443),” the company added.
“The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised.”
How well do you know Internet security? Try our quiz!