Police in Iceland have said a highly complex phishing attack is the biggest ever cyberattack the country has ever witnessed. The campaign saw thousands of messages sent that tried to get Icelanders to download a remote access tool that would give the hackers full access to their computers.
The software implemented in this campaign is an authentic remote access tool called Remcos. Remcos is used to permit remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computing devices. However, while it was created for legitimate use, because it gives the administrator full control over the computer once downloaded, it has significant potential to be used for malicious reasons. Unsurprisingly, Remcos has been used by hackers in several malware campaigns in the past, often carried out using spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT downloaded to provide access to victim’s computers.
The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive data, installation of malicious software, and file encryption with ransomware to name a small number.
As was the case in Turkey, the phishing campaign in Iceland tried to trick end users into installing the program through deception. In this case, the emails purported to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and install the remote access tool.
The emails informed the recipients that they were due to visit the police for questioning. Urgency was included by informing the recipient of the message that an arrest warrant would be sent if they did not respond. Visiting the link in the email directed the user to what appeared to be the true website of the Icelandic police. The website was a carbon copy of the authentic website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more details about the police case.
In Iceland, Social Security numbers are often required on websites to use official services, so the request would not appear strange. On official websites, Social Security numbers are matched against a database and are rejected if they are not real. In this case, the hacker was also able to check the validity of the SSN, which means access to a database had been obtained, most likely an old database that had been previously leaked or the attacker may have had authentic access and improperly used the database.
After submitting the information, a password protected archive was installed which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which included a .scr file disguised as a Word document.
On this occasion, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password taking capabilities and was used to steal banking details. After obtaining access to banking credentials, the information was sent back to command and control servers located in Germany and the Netherlands.
While the campaign looked completely genuine, a common trick was used to trick recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but included a lower case i instead of the second l – logregian.is. A casual glance at the sender of the email or the domain name in the address bar would unlikely show that the domain was not genuine. Additionally, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.
The Icelandic police moved swiftly to address the attack and the malicious domain was taken down the next day. It is unknown how many people were tricked by the scam.
