The hackers that gained access to over a hundred computers at Indian outsourcer Wipro were attempting gift card and rewards program fraud, new security research suggests.
At first, the Wipro attack was thought to be the work of state-sponsored threat actors.
Security vendor Flashpoint said the breach that was revealed in April this year saw dozens of Wipro employee Windows accounts being compromised via phishing emails.
This lead to further attacks against 11 Wipro customers, including IT service providers CapGemini, Avanade, Cognizand and Infosys, and cloud hosting company Rackspace.
Flashpoint said the attackers wanted the victims' credentials "likely in order to gain access to the portals managing their gift card and rewards programs."
While the identity of the attackers has not been revealed, Flashpoint found that they had tried to spread a remote administration tool (RAT) malware called Imminent Monitor, which was used used in a phishing campaign in 2017.
Further analysis of re-used infrastructure and file name constructs suggested to Flashpoint that the attackers may have been active as early as 2015.
The attackers abused legitimate security applications in their phishing campaign against Wipro, Flashpoint said.
Among these were phishing templates that matched those provided by a security awareness provider.
The attackers also dropped the ScreenConnect remote access program on computers compromised at Wipro, and some of the domains used in the attack hosted the powerkatz and powersploit scripts that can be used to steal credentials and launch exploits, the security vendor said.