In a blog post, the Avast Threat Intelligence Team said it had decided to go public after making direct contact with the affected organisation but finding that thereafter "they would not respond, return communications or provide any information".
Given the lack of engagement, Avast said it had limited information to make public. "We are only able to describe two files we observed in the attack. In this blog, we are providing our analysis of these two files," the blog post said.
However, Avast said it had found that it was reasonable to conclude from an analysis of the two file that "attackers were able to intercept and possibly exfiltrate all local network traffic in this organisation".
"We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control."
Avast described one file as masquerading as oci.dll and abusing WinDivert, a kosher packet capture utility, to listen in on all communications.
"It allows the attacker to download and run any malicious code on the infected system. The main scope of this downloader may be to use priviliged local rights to overcome firewalls and network monitoring," the Avast team noted.
It said the second file also masqueraded as oci.dll, replacing the first file at a later stage of the process and operating as a decryptor.
The team concluded: "Because the affected organisation would not engage we do not have any more factual information about this attack. It is reasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed speculation.
"Further, because this could have given total visibility of the network and complete control of an infected system it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks more deeply in a classic APT-type operation."
More details are available on the Avast blog.