Threat Actor: Spring

description-logo Description

SPRING is a threat actor that relies on specially crafted spearphishing attacks that contain vertical specific verbiage to lure an unsuspecting victim into opening a malicious attachment. The first discovered set of attacks appear to be primarily focused on maritime interests; however subsequent follow up investigations of related infrastructure has helped us determine that this is a part of an larger attack; as several other verticals were observed targeted as well.

Campaigns were first discovered around March 2020 targeting multiple industry verticals, with a primary concentration on corporations in South Korea. We observed one off attacks in different countries as well, with an interesting campaign targeting a maritime information technology firm in Norway and a shipping organization in Poland. This campaign appears to go far back as February 2019 with the most recent campaign we found occurring in March 2020 .

The preferred method of initial attack is by way of infostealers; specifically, Agent Tesla and Lokibot. Both families are commodity off the shelf malware; meaning that bad actors are able to source these samples from either resellers or by custom versions that have been hacked or snippets of original source code incorporated into them. Commodity malware makes it easier for those who don't have much overhead or expertise to develop their own tools; and for certain threat actors perhaps the unlikely side benefit - it makes the task of providing attribution next to impossible.

For more information on the TTPs used by Spring, go to our Playbook Viewer and select Spring from the menu.


Spring Playbook