A highly sophisticated malware campaign has been targeting multiple industries, including the healthcare and public health sectors, for the past year, according to a May 2 alert from the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center.
The threat actors use stolen administrative credentials and certificates to install refined malware implants on critical systems, officials said. IT service providers are part of the campaign’s victims, where these hacks can be leveraged to access client networks.
To make matters worse, cybercriminals can gain full network and data access masked as legitimate, existing monitoring tools, if the organization lacks the proper defenses.
“User impersonation via compromised credentials is the primary mechanism used by the adversary,” said officials. “However, a secondary technique to maintain persistence and provide additional access to the victim network is the use of malware implants left behind on key relay and staging machines.”
In some instances, officials said the malware provides no on-disk evidence that would allow for examination. Further, the hackers are using multiple malware variants and families — some of which can’t be detected by anti-virus software.
REDLEAVES is a unique malware variant used in this campaign, as it uses a remote administration Trojan that can send information about the victim’s system back to the C2.
Another major variant in this campaign is the PLUGX, which can take screenshots and download files from the compromised system. Communications between the virus and the PLUGX C2 server are encoded to mask detection and secure communication.
The energy, communications, IT and critical manufacturing industries are also part of campaign’s initial victims. NCCIC is still investigating the malware campaign and will continue to update its alert as more details become available.
“There’s no single or set of defensive techniques or programs that will completely avert all malicious activities,” officials explained. “Multiple defensive techniques and programs should be adopted and implemented in a layered approach to provide a complex barrier to entry, increase the likelihood of detection and decrease the likelihood of a successful compromise.”