14 DAY TRIAL // The Inception threat group has been observed exploiting the CVE-2017-11882 Microsoft Office memory corruption vulnerability and a PowerShell-based backdoor dubbed POWERSHOWER in their most recent multi-stage attack campaign during October 2018.
Inception was seen in action since at least 2014, using multiple highly automated malware toolkits targeting a vast array of industries and platforms from all around the world, with a focus on Russian targets.
Moreover, Inception is also known for using multiple compromised routers from all over the globe as proxies to efficiently hide the origin of their attacks, and automatically removing all tracks to the attackers after making the connection to the victim machine.
Inception uses two-stage spear phishing attacks since 2014, with the first stage being an email containing a reconnaissance document designed to automatically fingerprint the victim device.
The first attack stage is followed by a second spear-phishing attack a number of days later, linking to a remote document designed to drop the exploit payload.
The POWERSHOWER backdoor cleans up infiltration and infection traces to obstruct analysis of the attack
In the attack campaign recently witnessed by Palo Alto Networks' Unite 42, Inception has remodeled their attack model using a single document that employs Microsoft Word remote templates to download remote VBScript exploit payloads packaged as OLE objects.
The payload downloaded after the users open the spear phishing emails will launch a PowerShell backdoor dubbed POWERSHOWER and used as the means for downloading and installing more complex secondary payloads.
POWERSHOWER will first fingerprint the compromised machine, upload the results to its command-and-control (C&C) server, and cleaning all traces of activity to avoid forensic analysis.
The POWERSHOWER backdoor will eventually be put to work by the threat group, being used for dropping and running the secondary malware payload if the victim machine is deemed worthy.
This complex infiltration and infection process makes it possible for the threat group to hide their attacks and efficiently target only the most valuable victims.