Cyber Security

Torisma Spyware: Aerospace and Defense Sectors Targeted in Data-Exfiltration Campaign

Security researchers at McAfee have detected a cyberespionage campaign attempting to extract confidential information from foreign governments. Researchers warn that the data-exfiltration and surveillance operation is targeting the aerospace and defense sectors.

Attackers use previously-undetected spyware called Torisma to target IP addresses belonging to service providers in Australia, Russia, and Israel, as well as defense contractors based in Russia and India.

The campaign, named "Operation North Star," implements Tactics, Techniques, and Procedures (TTPs), typical for North Korea's threat group Hidden Cobra. According to security researchers, the applied TTP, as well as the use of Visual Basic (a programming language), suggest that the latest attacks are a sequel of 2019 campaigns, which were also aimed at gathering intelligence from key military and defense infrastructures.

Operation North Star

McAfee's analysis suggests that the latest malware campaign attempts data-gathering malware on victims' machines. The attackers use standard DLL implants that collect basic information that could be useful in classifying the value of potential targets.

However, researchers warn that Operation North Star exhibits a "degree of technical innovation" intended to camouflage the operation and keep it under the radar.

To infect its targets, the campaign relies on spear-phishing emails. The attackers use a series of weaponized documents containing job postings, copied from legitimate recruitments posts, published on a US defense contractor's website.

Figure 1: Attack Overflow

Graph showing Torisma malware's attack flow
The campaign relies on used malicious documents to install malware. Source: McAfee

The malicious attachments in the sample analyzed uses a template injection attack that downloads an external Word template containing executable macros.

Second and Third Stage Attack

While the attackers use malicious documents for the initial infiltration, Stage Two of the attack delivers malicious DLL files, designed to spy on the target. The criminals exploit patched SQLite DLLs to gather basic information from its targets, which could be used for identification purposes in the future.

The Third Stage of the attack drops yet more malicious DLLs that are part of legitimate software. Researchers explain that every time a specific function is called with a predefined set of parameters, the corrupted DLL will be activated.

Phase Three of the attack is focused on keeping the malicious operation under the radar. According to the research, to avoid detection, the attackers mimic the User-Agent that is present in the host system. For example, the User-Agent string from a web browser configuration can avoid network-based detection by camouflage the outgoing traffic.

Another interesting camouflaging technique is the implementation of compromised websites located in Italy and the US. Researchers also identified exploited websites owned by an auction house, a printing company, and an IT training firm as Command and Control(C2C) servers for the campaign.

Torisma Spyware

One of the most noteworthy payloads deployed in the latest attacks is a custom developed spyware called Torisma. The threat, which is dropped as a second stage implant, is designed to send and receive information from a command and control (C&C) server.

Figure 2: Inside Torisma Implant

Flowchart depicting Torisma malware's payload and component relationship.
This flowchart shows how Torisma malware's components compromise a system and establish communications with a C2C server. Source: McAfee

Torisma is designed to monitor for new drives added to the system, as well as to track remote desktop connections. While the threat is focused on active monitoring, it can also trigger payload executions as well. 

Figure 3: Torisma Monitoring Loop

Dynamic analysis showing Torisma malware's monitoring loop.
Torisma runs a monitoring loop that gathers information from the host device. Source McAfee


According to researchers, Torisma's end objective is to execute shellcode and to report the results back to the C&C server. Its monitoring loop allows attackers to identify victims, who could be monitored further.

Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button