Teacher
Professional
- Messages
- 2,669
- Reaction score
- 818
- Points
- 113
Attackers stole data from dozens of directories.
In October 2023, Doctor Web specialists investigated an incident related to a targeted cyber attack on a Russian machine-building enterprise. The attack began by sending phishing emails with the subject "investigation" of certain criminal cases on tax evasion.
The letters were allegedly sent from a fake address on behalf of an investigator of the Investigative Committee of the Russian Federation. They contained attachments - a password-protected zip archive with malicious software and a pdf document that was not malicious. It contained a phishing text stating that all information about the "criminal case" is in the archive, and encouraged to open a malicious program from it.
The very first phishing email contained the archive Requirement 19098 Sled com RF dated 02.10.23 PASSWORD - 123123123.zip. In turn, the Trojan program located in it was hidden in the file List of legal entities and enterprises, tax evasion, requirements and дополнительные.ехе.
A phishing pdf document was attached to it-The investigator's request, tax evasion (request within the UD). pdf and zip archive-the Request 19221 of the RF IC dated 11.10.2023 PASSWORD - 123123123.zip with this content:
As in earlier messages, the attackers specified the password for extracting files from the archive in both its name and the document name-the password for opening 123123123.odt. This document itself, as well as the files Rights and obligations and procedure of Articles 164, 170, 183 of the Code of Criminal Procedure of the Russian Federation. pdf and IC RF. png, were not malicious.
This archive contained two copies of the malware: a list of businesses, tax evasion, and additional materials.technical and additional materials, list of issues, invoices and primary documents документы.ехе.
In all cases, the malicious application distributed by the attackers was Trojan. Siggen21. 39882. This malware, known as WhiteSnake Stealer, had the ability to steal credentials and install additional malware on victims ' computers. This Trojan, distributed via the darknet, served as the first stage of infection. After receiving the appropriate commands, the malware collected and transmitted to the attackers information about the configuration of Wi-Fi network profiles of the infected system, as well as passwords for accessing them. After that, the JS backdoor was activated.BackDoor. 60, which has become the main tool for attackers to interact with infected systems.
JS.BackDoor.60 is written in JavaScript and consists of the main encrypted body and auxiliary modules. Through common functions, modules represent additional malicious tasks that the backdoor can perform. New modules are delivered from a remote server, expanding the Trojan's capabilities.
To hide your JS presence.BackDoor.60 modified shortcuts in system directories, including the Desktop and Taskbar. As a result, when opening any shortcut, the backdoor was launched first, and then the source program.
Using JS.BackDoor. 60, attackers remotely controlled the infected system and stole data from dozens of directories, including personal and corporate documents. Hackers also created screenshots from the victim's screen.
For audio monitoring, the attackers used another malware - BackDoor. SpyBotNET.79. This backdoor recorded audio through the computer's microphone, but only when it detected an intensity characteristic of the human voice.
At the same time, the attackers also tried to infect the system with the Trojan downloader Trojan.DownLoader46. 24755, however, due to an error, they were unable to do so.
Based on the results of the analysis, Doctor Web experts were unable to link the attack to known APT groups. However, the incident demonstrates a serious threat from available commercial malware and social engineering as a method of infection.
Companies are encouraged to strengthen the protection of their IT infrastructure, especially workstations and email gateways. It is also extremely important to regularly train employees in cybersecurity rules and inform them about current malware and phishing threats.
In October 2023, Doctor Web specialists investigated an incident related to a targeted cyber attack on a Russian machine-building enterprise. The attack began by sending phishing emails with the subject "investigation" of certain criminal cases on tax evasion.
The letters were allegedly sent from a fake address on behalf of an investigator of the Investigative Committee of the Russian Federation. They contained attachments - a password-protected zip archive with malicious software and a pdf document that was not malicious. It contained a phishing text stating that all information about the "criminal case" is in the archive, and encouraged to open a malicious program from it.
The very first phishing email contained the archive Requirement 19098 Sled com RF dated 02.10.23 PASSWORD - 123123123.zip. In turn, the Trojan program located in it was hidden in the file List of legal entities and enterprises, tax evasion, requirements and дополнительные.ехе.
A phishing pdf document was attached to it-The investigator's request, tax evasion (request within the UD). pdf and zip archive-the Request 19221 of the RF IC dated 11.10.2023 PASSWORD - 123123123.zip with this content:
As in earlier messages, the attackers specified the password for extracting files from the archive in both its name and the document name-the password for opening 123123123.odt. This document itself, as well as the files Rights and obligations and procedure of Articles 164, 170, 183 of the Code of Criminal Procedure of the Russian Federation. pdf and IC RF. png, were not malicious.
This archive contained two copies of the malware: a list of businesses, tax evasion, and additional materials.technical and additional materials, list of issues, invoices and primary documents документы.ехе.
In all cases, the malicious application distributed by the attackers was Trojan. Siggen21. 39882. This malware, known as WhiteSnake Stealer, had the ability to steal credentials and install additional malware on victims ' computers. This Trojan, distributed via the darknet, served as the first stage of infection. After receiving the appropriate commands, the malware collected and transmitted to the attackers information about the configuration of Wi-Fi network profiles of the infected system, as well as passwords for accessing them. After that, the JS backdoor was activated.BackDoor. 60, which has become the main tool for attackers to interact with infected systems.
JS.BackDoor.60 is written in JavaScript and consists of the main encrypted body and auxiliary modules. Through common functions, modules represent additional malicious tasks that the backdoor can perform. New modules are delivered from a remote server, expanding the Trojan's capabilities.
To hide your JS presence.BackDoor.60 modified shortcuts in system directories, including the Desktop and Taskbar. As a result, when opening any shortcut, the backdoor was launched first, and then the source program.
Using JS.BackDoor. 60, attackers remotely controlled the infected system and stole data from dozens of directories, including personal and corporate documents. Hackers also created screenshots from the victim's screen.
For audio monitoring, the attackers used another malware - BackDoor. SpyBotNET.79. This backdoor recorded audio through the computer's microphone, but only when it detected an intensity characteristic of the human voice.
At the same time, the attackers also tried to infect the system with the Trojan downloader Trojan.DownLoader46. 24755, however, due to an error, they were unable to do so.
Based on the results of the analysis, Doctor Web experts were unable to link the attack to known APT groups. However, the incident demonstrates a serious threat from available commercial malware and social engineering as a method of infection.
Companies are encouraged to strengthen the protection of their IT infrastructure, especially workstations and email gateways. It is also extremely important to regularly train employees in cybersecurity rules and inform them about current malware and phishing threats.
