Naikon Unleashed Hellsing Malware On MH370 Search

Mr Vicente Diaz Principal Security Research-GReAT Team Kaspersky Lab
Mr Vicente Diaz Principal Security Research-GReAT Team Kaspersky Lab
A rare and unusual example of one cybercriminal attacking another has been recorded by an anti virus company. In 2014, Hellsing, a small and technically unremarkable cyberespionage group targeting mostly government and diplomatic organizations in Asia, was subjected to a spear-phishing attack by another threat actor and decided to strike back. It is believes that this could mark the emergence of a new trend in criminal cyberactivity: the APT wars.

The company has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US, with most of the victims located in Malaysia and the Philippines. The attackers are also very selective in terms of the type of organizations targeted, attempting to infect mostly government and diplomatic entities.

Deeper analysis of the Hellsing threat actor reveals a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organizations. If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself. According observations, the number of organizations targeted by Hellsing is close to 20.
The discovery was made by experts during research into the activity of Naikon, a cyberespionage group also targeting organizations in the Asia-Pacific region. The experts noticed  that one of Naikon’s targets had spotted the attempt to infect its systems with a spear-phishing email carrying a malicious attachment.
The target questioned the authenticity of the email with the sender and, apparently dissatisfied with the reply, did not open the attachment. Shortly thereafter the target forwarded to the sender an email containing the target’s own malware. This moved triggered Kaspersky Lab’s investigation and led to the discovery of the Hellsing APT group.
They were seen attacking Malaysian authorities within four days of the MH370 disappearance, rising more suspicion to the mystery of the missing MAS plane, the group has attempted to infect computers of government agencies, the navy, police and civil aviation department in Malaysia and other countries involved in the search efforts.

The method of counter-attack indicates that Hellsing wanted to identify the Naikon group and gather intelligence on it.

To protect against Hellsing attacks, it is recommended the following basic security best practices:
·      Don’t open suspicious attachments from people you don’t know
·      Beware of password protected archives which contain SCR or other executable files inside
·      If you are unsure about the attachment, try to open it in a sandbox
·      Make sure you have a modern operating system with all patches installed
·      Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader.

Share this post:

Comment what you think!