If you are a personnel at any Indian embassy across the world, you should be cautious when surfing the Internet after the discovery of a new family of malware called TidePool that security researchers at Palo Alto Networks believe is an evolutionary product of the old Operation Ke3chang.
At the moment, it is hard to conclude with finality that TidePool is a direct descendant of Operation Ke3chang, but researchers have found key evidence that points to the relation of TidePool to Ke3chang based on the malware’s behavior. One particular piece of indication that Ke3chang is tied to TidePool is the target: Ke3chang previously was used to launch a cyber attack against the Ministry of Affairs of India following still recent attacks against the nation’s government.
According to Palo Alto Networks, the attackers behind TidePool have been using spear phishing email campaigns to hit a number of Indian embassies across the globe. The emails purport to contain an annual report filed by the employees at more than 30 embassies of India from different countries.
The attackers are also using email addresses that appear to belong to legitimate people who have connections with the Indian embassies so that the spear phishing emails look authentic as though they were sent by the legitimate sources. Once the Indian embassy recipients perceive an email to be legit, they are more likely to open the message than ignore it.
Palo Alto Networks’ researchers also reported that the attackers are taking advantage of a new hole in executing their attacks using TidePool. The new vulnerability allows for a couple of changes in a computer’s registry and a surge in a network’s command and control traffic due to what the researchers say as an evolution in the codebase of Ke3chang into TidePool.
The Ke3chang vulnerability saw the light of day in September 2015 that also contained malicious document. But in contrast to Ke3chang, the TidePool exploit carrier document is sent as an MHTML document that comes in the form of a Microsoft Word file. The TidePool malware family is designed to let attackers through the firewall and view and change files and folders.
TidePool also proceeds to steal information pertaining to the computer and transmits the data to a remote Command and Control server through a connection that is closely tied to a malware family employed by the authors of the Ke3chang malware.
What’s most striking about this malware is that there seems to be little attention given to it by most security vendors, except Palo Alto Networks, of course. Now that it appears to be persistent in its attacks, it is high time that the IT departments raised their alarm.