A new spear phishing project is occurring in Russia targeting dissenters with opposing views to those promoted by the state and nationwide media about the war versus Ukraine. The campaign targets civil servant and public servants with emails warning of the software tools and online platforms that are prohibited in the nation.
The messages come with a harmful accessory or link ingrained in the body that is dropping a Cobalt Strike beacon to the recipient’s system, allowing remote operators to perform espionage on the target.
The project’s discovery and subsequent reporting originated from threat analysts at Malwarebytes Labs, who have actually managed to sample numerous of the bait e-mails.
Several phishing pathways
The phishing e-mails pretend to be from a Russian state entity, a ministry, or a federal service, to lure recipients to open the attachment.
The “Ministry of Details Technologies and Communications of the Russian Federation” and the “Ministry of Digital Development, Communications, and mass interactions” are the primary two spoofed entities.
The hazard stars use 3 various file types to contaminate their targets with Cobalt Strike, namely RTF (rich text format) files, archive accessories of files laced with destructive files, and download links embedded in the email body.
The case of the RTFs is the most fascinating due to including the exploitation of CVE-2021-40444, a remote code execution defect in the rendering engine used by Microsoft Office documents.
RTF file setting off the rendering engine exploit (Malwarebytes)As is to be anticipated, all of the phishing emails are written in Russian, and they seem to have been crafted by native speakers of the language and not maker equated, recommending that the project is undertaking from a Russian-speaking actor.
Apart from Cobalt Strike, Malwarebytes also observed parallel efforts to release a greatly obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities.
Crackdown on dissidents
The targets of this campaign work primarily in the Russian government and public agencies, consisting of the following entities:
- Portal of authorities of the Chuvash Republic Authorities Internet website
- Russian Ministry of Internal Affairs
- ministry of education and science of the Republic of Altai
- Ministry of Education of the Stavropol Territory
- Minister of Education and Science of the Republic of North Ossetia-Alania
- Federal government of Astrakhan region
- Ministry of Education of the Irkutsk area
- Portal of the state and local service Moscow region
- Ministry of science and higher education of the Russian Federation
The above companies suggest that the phishing stars target individuals who hold key positions and could trigger issues to the main federal government by prompting war-opposing movements.
The so-called “special operation” in Ukraine hasn’t unfolded the way Kremlin had visualized, and western sanctions manifested on a scale way beyond what was accounted for, so this project might be the outcome of the higher federal government increase its alertness against possible coups.
This is a likely description of why Russia-based hackers are interested in carrying out espionage versus semi-high ranking federal government authorities and ministry staff members, however at this time, it’s just a presumption.
Malwarebytes has actually mapped the facilities utilized by the threat star(s) behind the latest project and will continue to keep track of the associated activity.