Cyble Research and Intelligence Labs (CRIL) has discovered a phishing campaign, wherein threat actors are using applications banned in Russia to target users.
Attack overview
- The attack is carried out via phishing sites mimicking popular applications like ExpressVPN, WeChat, and Skype to lure users. (All of these applications are not accessible in Russia due to nationwide restrictions.)
- While the sites pretend to host legitimate applications, they are actually used to deliver the Remote Management System (RMS), a legitimate remote administration tool, to gain initial access to victims’ systems.
- After gaining initial access, the attackers deploy different malware families to perform various malicious activities, such as stealing sensitive data.
Attribution
- The presence of the Russian language in the malware binary indicates that it is the work of a Russian-origin threat actor.
- Researchers cite that TA505 might be behind this campaign, based on the use of the RMS tool in the past.
- The version of RMS used in this campaign enables attackers to establish a remote connection, record computer screens, and pilfer victims’ system details.
It is to be noted that the use of legitimate remote control tools by threat actors remains prevalent in the cyber threat landscape. These tools provide threat actors with an easy way to blend in with legitimate network traffic, thus, enabling them to covertly carry out their actions.
Ending note
It is recommended to implement application whitelisting to restrict the execution of unknown or unapproved applications. Periodically review the list of services running on systems to stay safe from such attacks. Furthermore, set up alerts for unusual or suspicious traffic patterns, which may indicate communication with a C2 server controlled by attackers.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e625_shutterstock_2107075277.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_229086703.jpg)
