A new phishing campaign targeting hundreds of organizations in Russia has been uncovered by security researchers. The cybercriminals behind the campaign targeted around 800 computers across 400 Russian organizations. The campaign targeted organizations associated with industrial production, including, the manufacturing, oil and gas, engineering, energy, mining and construction industries.
According to Kaspersky Lab security researchers, who discovered the phishing campaign, the attacks began in November 2017 and is currently ongoing. However, the threat actors behind this campaign are believed to have been active since at least 2015.
“The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia,” Kaspersky researchers wrote in a blog. “The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.”
The campaign makes use of various malware variants. The primary malware used by the attackers installs legitimate remote administration software such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS).
This allows the attackers to gain complete control over the targeted systems, while ensuring that the malware’s activities remain disguised, helping attackers evade detection.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,” the researchers said. “When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.”
The campaign makes use of several malware variants, including the Babylon RAT, Betabot, AZORult and the Hallaj PRO RAT. The additional malware variants are downloaded by the attackers when they need to expand their control over an infected system. These additional malware are also specifically tailored to an attack on a specific victim.
The combined capabilities of all the malware variants used by the campaign allows the threat actors the ability to steal system information, check for whether the targeted system has a webcam, microphone and is running any anti-virus programs, stealing cryptocurrency wallets, conducting DDoS attacks and more.
Kaspersky Lab researchers believe that the cybercriminals behind this campaign are likely Russian, given how the phishing emails were well-crafted and in Russian. The researchers also believe that although the campaign mainly targeted Russian organizations, the same tactics and tools could be used to attack any organization in any part of the world.
“This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems,” Kaspersky researchers added. “Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.”