Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks

Spyware attacks infecting ICS computers across the globe

Kaspersky ICS CERT published a post on a growing number of anomalous spyware attacks infecting ICS computers across the globe. The article Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks talks about a spyware campaign where malicious actors use e-mail as a C2 mechanism.

“When a compromised email account is abused as a C2, the C2 traffic is normally detected by an antispam solution and moved to the spam folder, where in most cases it remains unnoticed until the folder is cleaned. Evading antispam detection is not in the interests of the malicious actors, as this would bring victims’ attention to C2 traffic, signaling compromise. That’s how malicious actors use cybersecurity-related technology to their advantage.”

The article includes a set of C2 indicators, which can also be found in our MISP event 14e083b6-5d3f-4925-8b7c-19f1ec08985.