Security researchers have discovered ongoing malware campaigns targeting Samsung service centers in Italy, campaigns that appear to be the counterparts of attacks that have previously targeted similar electronics service centers in Russia this year.
These malware campaigns are nothing out of the extraordinary, and the only thing that remains a mystery is their purpose and end goal.
Mundane malware distribution effort
The attacks usually start with the delivery of spoofed spear-phishing emails to Samsung Italy service center workers.
These emails carry attached Excel documents that when opened leverage the CVE-2017-11882 Office Equation Editor vulnerability to infect users with malware.
The entire malware delivery system and exploit chain is described in a detailed report published by Italian cyber-security firm TG Soft and is near identical to the attacks targeting electronics service centers in Russia, as described in a previous Fortinet report.
Both attack waves, targeting Italy and Russia, started at the end of March, according to the two reports. But while Russian service centers were targeted with the Imminent Monitor RAT, the attacks on Samsung Italy service centers also leveraged other RATs, such Netwire and njRAT.
Both companies also noted that the spear-phishing emails are very well put together, and appear to have been written by a native in Italian and Russian, respectively.
Nobody knows the purpose of these attacks
But despite all the data gathered by TG Soft and Fortinet, the two companies have not been able to determine why the hackers are trying to infect electronics service centers, to begin with.
Such service centers hold very little customer data that a threat actor could steal, and an attacker having many other more attractive companies he could target and gain more useful data from.
One explanation may be that attackers are trying to taint the tools used in these service centers so that they could infect the repaired devices with malware. But this is only a theory, as no evidence has been unearthed to support this scenario, and this entire malware distribution campaign remains shrouded in a fog of mystery.