Kaspersky ICS CERT has uncovered a cyber campaign targeting industrial organisations in the Asia-Pacific region, where attackers implemented a complex multi-stage malware delivery scheme using legitimate software to avoid detection.

HCM CITY — Kaspersky ICS CERT has uncovered a cyber campaign targeting industrial organisations in the Asia-Pacific region, where attackers implemented a complex multi-stage malware delivery scheme using legitimate software to avoid detection.
As a result, they could spread malware over victim organisations’ networks, install remote administration tools, manipulate devices, and steal and delete confidential information.
The campaign targeted government agencies and industrial organisations in several countries and territories in the APAC region, including Malaysia, mainland China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, Taiwan (China), and Việt Nam.
Zip archives with malware, disguised as tax-related documents, were delivered to victims in a phishing campaign via email and messengers (WeChat and Telegram). As a result of a complex multi-stage malware installation procedure, a backdoor, FatalRAT, was installed into the system.
The attackers used a variety of methods to evade detection and blocking: dynamically changing control servers and malicious payloads, placing files on legitimate web resources, exploiting vulnerabilities in legitimate applications and using legitimate software capabilities to launch malware, and packaging and encrypting files and network traffic.
Kaspersky called this attack campaign SalmonSlalom: the attackers challenged the cyber defences like a salmon navigates the cascading water while travelling upstream, losing their strength in maneuvering between sharp rocks.
The company recommends several measures to prevent falling victim to the described attack, including enabling two-factor authentication for admin console and web interface access, installing and regularly updating centrally managed security solutions, and ensuring all security components remain active with policies restricting unauthorized modifications.
Companies also need to make sure that security solutions receive up-to-date threat information for those groups of systems where the use of cloud security services is not prohibited by law or regulations, update operating systems and applications to versions currently supported by the vendors, and so on. — VNS