Computer Crime Research Center


Concealed cyber crime gang uncovered

Date: July 23, 2014

Targets lucrative industries, hosted on Dropbox.

A hacking group that has been operating virtually undetected by anti virus systems since at least 2007 has been exposed by a team of researchers at Cisco.

The String of Paerls group - which distributes malware almost entirely undetectable by anti-virus systems and targets high-profile, lucrative industries such as banking, oil, television and jewellery - was exposed by a team of researchers from Cisco in a blog post.

The miscreants are so named because one of their domains is ‘', mimicking the name of a legitimate UK-based jewellery business, London Pearl Ltd.

The criminals have run several different malware campaigns but remained hidden because they preyed on small numbers of victims using extremely targeted spear phishing emails and adopted various other means to cover their tracks, Cisco claimed.

Cisco research team leader, Craig Williams, said the group was one of the very few attackers that have not been tracked.

"They've been around for a long time. But when they target such a small amount of people it's very difficult to detect, and it maximises the chance of the attacker getting away with it," he said.

“A very, very small percentage of AV engines detected the malware, I think there was one out of maybe 50 that we tested that detected it and the rest didn't.

I think that was one of the reasons why these guys were still so successful – no-one was detecting it and there was such a small number of customers targeted that they were just sliding under the radar.”

The criminals hid behind numerous fake domain names and also frequently switched addresses and email addresses.

“During the investigation the threat actor changed the information on some of the domains several times. Items like addresses, email addresses and such were changed, literally, in between browser refreshes," Cisco said.

Cisco warned that the attackers typically use a traditional spear phishing email, such as a fake invoice, purchase order or receipt, written specifically for the recipient, in order to infect them with a spiked Microsoft Word attachment.

“While basic, the Office Macro attack vector is obviously still working quite effectively.”

But among some more ‘new-school' features, the attackers follow the recent trend of hosting their malware on the Dropbox cloud-based file-sharing service.

Cisco found four separate pieces of the malware payload on Dropbox, and reported the links to the company who then disabled them.

Analysing the attack, industry expert Fran Howarth, senior security analyst at Bloor Research, said the use of Dropbox appeared to be a new tactic.

“Many employees are used to using such file-sharing applications for leisure purposes and are increasingly using such services for work as well - often without the knowledge of their employer.

“This creates another reason for organisations to look closely at the use of unsanctioned services and should provide their employees with an alternative that is as user friendly, but under the control of the IT department.”

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo