An unknown actor purporting to be from the tax collection arm of the Turkish government has been carrying out spear-phishing campaigns against Turkish defense contractors.
According to RiskIQ, the perpetrators have been targeting multiple people inside a given organization since November 2017 with weaponized documents that download a remote access Trojan (RAT) named Remcos. Remcos can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs, and manage files. Interestingly, it also has SOCKS5 proxy capabilities: An operator can turn the victims of the crime into proxies for its own network, hiding the real C2 server.
“Regions of the world in geopolitical turmoil, like Turkey, are prime targets for cyber-espionage campaigns,” said RiskIQ researcher Yonathan Klijnsma in a blog. “The group used tactics that have become extremely useful for cyber-spies – spear-phishing emails that social engineer the victim to download an attached or embedded file and then enable macros.”
The email supposedly comes from the Turkish government entity responsible for taxes. The email states that there is a possible tax exemption in place for the receiver if they fill out the attached documents. Although the sender domain, gerlirler.gov.tr, is valid, the actual email Sender Policy Framework (SPF) verification failed in analysis.
“We would also like to point out that this campaign wasn’t run on its own — far before this campaign, the actors used these domains in other attacks,” Klijnsma said. “Pivoting through the related IP addresses can give some additional insights into the vast infrastructure of this attacker, which seems to be relying on using its victims as the SOCKS5 tunnels’ proxies.”