Hackers Use Multi-stage Attack to deploy Sanny Infostealer

Delaware, USA – March 27, 2018 – Researchers from FireEye discovered a new campaign targeting government departments and agencies with Sanny infostealer. The campaign is conducted by a hacker group, active since 2012 and allegedly located on the Korean Peninsula. Attackers changed their method of malware delivery and upgraded Sanny to bypass User Account Control and infect systems running Windows 10. The primary method of distribution is phishing emails with lure document that was specially created for each organization. The malicious document contains a macro that uses legitimate Windows utility certutil.exe to download and decode the bat file contained in the fake SSL certificate. The Use of certutil.exe for malicious purposes is a well-known practice, and most security solutions monitor this executable, so the macro copies and renames it before running. The bat file also uses techniques to avoid detection and delivers payload for the next stage, which in turn uses Windows COMSysApp service to download Sanny infostealer.

Using multi-stage delivery and modular architecture of malware allows attackers to bypass security solutions and steal sensitive data. You can use File Hash Analytics for ArcSight to detect such malware delivery method. This SIEM use case helps find different files with the same hashes, and also allows you to track hashes reported by security solutions.