Pied Piper campaign targets food chains, suppliers

Read time 2min 30sec
Morphisec suspects that TA505, a threat group discovered and named by Proofpoint, is behind the attacks.
Morphisec suspects that TA505, a threat group discovered and named by Proofpoint, is behind the attacks.

Researchers from Morphisec, a moving target defence company, have uncovered a widespread, ongoing cyber campaign hitting multiple targets.

A moving target defence aims to make it more difficult for attackers to succeed, by constantly shifting the environment.

The campaign, dubbed 'Pied Piper', delivers various remote access Trojan (RAT) payloads, including the FlawedAmmyy RAT via phishing, across multiple countries.

The Trojan gives threat actors complete access to the victim's machine, allowing them to steal files, credentials, collect screen grabs and access the camera and microphone. In addition, it provides a foothold for an attacker to move laterally through the network, serving as a potential entry point for a major supply chain attack.

According to Morphisec, the campaign has been targeting food chains and their supply lines, potentially impacting a supplier to several well-known companies, including Godiva Chocolates, Yogurtland and Pinkberry. Others in the supply chain could be hit too, if the command and control (C&C) servers aren't disabled.

"The use of FlawedAmmyy has surged in recent months, landing it on the Checkpoint Global Threat Index's Top 10 last month," says Michael Gorelik, CTO of Morphisec. "The malware is built on top of the source code of leaked Ammyy Admin remote desktop software, as revealed by Proofpoint researchers last March."

He says deeper investigation into the campaign revealed that, based on metadata and additional indicators, the same threat actor is delivering another version, which has the remote Manipulator (RMS) RAT as the payload. The RMS RAT is built on top of a readily available, non-commercial library that helps to analyse exceptions in code.

Who's paying the piper?

Gorelik says all versions of the campaign start with a phishing lure designed to trick users into enabling macro execution. The attack continues through multiple stages, finally delivering a fully signed executable RAT.

Based on metadata, Morphisec suspects TA505, a threat group discovered and named by Proofpoint, is behind the attacks. TA505 has been responsible for the largest malicious spam campaigns observed by Proofpoint, including the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan, and several others in high volumes.

Morphisec has reported details of the campaign to authorities to facilitate the take-down of the C&C servers being used in the attack.

Gorelik advises enterprises to take this analysis into consideration and work to determine if they, or any supply chain partners, have been impacted.

"A large component of this campaign features techniques that easily evade typical anti-virus software, so there may be a need for additional endpoint security software."

See also