Samsung Help Centers, Victims of Trojan Attacks

In the recent past of hackers who have not yet been identified have attempted to compromise the PCs of employees of some Samsung Italia service centers by installing a Trojan . It all started last April but the details were only revealed by Gianfranco Tonello, Federico Girotto and Michele Zuin in a report published by security company TG Soft. The episode also seems to replicate another pirate attack in Russia, still against Samsung.

It all starts usually with the receipt of an email which has for object "Communication 18 -061: management of unauthorized centers". Written in a perfect Italian, seems to come from a legitimate address of Samsung the director of the IT department of Samsung Italy and also contains the real contacts (phone number and email) of the sender presumed.

Attached to the email then there is an Excel file called QRS unauthorized.xlsx which contains a list of unauthorized help centers but also code that exploits a vulnerability in Office [19659002] This is a known security flaw, CVE-2017-11882 which initiates the execution of malware when opening the file. In this specific implementation, however, the attack is even more subtle because opening the file starts downloading malware from a server which, according to the researchers, would be connected to Samsung Authorized Service Center. 19659002] The file thus downloaded is registered under the name notepad.exe and hosts a second executable inside, BootstrapCS.exe, which then deals with the installation of the Trojan, after having verified that it is not in a sandbox or virtual system . The Trojan is a modified version of Imminent-Monitor a commercial software with remote control functions that provides complete control of the host computer

hackers is not known but through the trojan were installed several others, each badociated with a different command and control server, with spy functions, including the possibility of # 39; record from the webcam and the microphone that is typed on the keyboard. The attack would have targeted between 200 and 300 computers in the ecosystem of Samsung service centers.