Nitro Hackers still continue the Cyber Attack on chemical Industries ,a recent report from Symantec says. The Nitro attack started in July 2011 and still continues. Hackers used to social engineering tricks , sending a fake mails to Chemical industries with Malware attachment.(read more about the Nitro Attacks).
Recently, Symantec.cloud intercepted a spam mail that masquerades as Symantec Security Team and ask to download a password protectedattachment. The attachment has a malware(Variant of Poison Ivy). The attachment named as "the_nitro_attackspdf.7z" , it contains a file called "the_nitro_attackspdf .exe".
Recently, Symantec.cloud intercepted a spam mail that masquerades as Symantec Security Team and ask to download a password protectedattachment. The attachment has a malware(Variant of Poison Ivy). The attachment named as "the_nitro_attackspdf.7z" , it contains a file called "the_nitro_attackspdf .exe".
Poison Ivy virus and pdf doc |
The Self-Extracting executable files creates a lsass.exe(Poison IVY) and creates a PDF File. This PDF file is none other than Symantec Nitro Attacks document!
The server(virus) lass.exe copies itself to “%System%\web\service.exe” and attempts to connect to the domain “luckysun.no-ip.org”.This domain resolves to an IP, which is hosted by the same hosting provider that hosted most of the previously encountered IP addresses.
“Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked. They are using the exact same techniques - even using the same hosting provider for their command and control (C&C) servers,” researchers Tony Millington and Gavin O’Gorman said.
The domains used in this attack were disabled and Symantec have contacted the hosting provider to make sure the necessary steps are taken. Symantec.cloud protects their customer from these type of attacks.