A Ukrainian-based threat player is spearphishing Russians who are using services that have been banned by the Kremlin.
A spearphishing campaign targeting Russian citizens & govt. entities that are not aligned with the actions of the Russian Govt. is the latest in numerous threats that have emerged since Russia invaded the Ukraine in Feb.
Kremlin
Researchers from MalwareBytes identified a campaign last week that targets entities using websites, social networks, instant messengers & VPN services banned by the Kremlin, according to a blog post published Tues. by Hossein Jazi, Manager, Threat Intelligence Analyst at MalwareBytes.
Targets are receiving various emails that they will face charges due to this activity, with a lure to open a malicious attachment or link to find out more, Jazi wrote.
The messages seem to be from the “Ministry of Digital Development, Telecommunications & Mass Communications of the Russian Federation” & the “Federal Service for Supervision of Communications, Information Technology & Mass Communications,” he stated.
Microsoft Office
MalwareBytes observed 2 documents associated with the campaign using the previously identified flaw named MSHTML & tracked as CVE-2021-40444. This defect, which has been patched, is a remote-code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.
“Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the 1st time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability,” Jazi wrote.
CABLESS
Also, the threat player used a new variant of an MSHTML exploit called ‘CABLESS’ in the campaign, researchers explained. Sophos previously reported an attack that used this variant; however, in that case the player did not use an RTF file, Jazi observed in the post.
The campaign also varies from most other cyber threats that have emerged since Russia invaded Ukraine on Feb. 24, which usually tend to attack targets in Ukraine or others sympathetic to the war-torn country’s cause.
Attack Sequence
Researchers intercepted some emails being used in campaigns, all of which are in Russian. One that they observed is a letter to a target about limitation of access to the Telegram application in Russia, outlined the post.
The email includes an RTF with an embedded url that downloads an HTML file that exploits the MSHTML bug, researchers explained. The HTML file contains a script that executes the script in Windows Script Host (WSF) data embedded in the RTF file, which contains a JavaScript code that can be accessed from a remote location.
“In this case, this data has been accessed using the downloaded HTML exploit file,” Jazi explained.
“Executing this script leads to spawning PowerShell to download a Cobalt Strike beacon from the remote server & execute it on the victim’s machine.”
Potentially Carbon Spider?
Researchers are not sure who is behind the campaign but noted the similarity of the lure as to one used before & linked to the threat group Carbon Spider, which in the past has targeted Russian financial institutions.
A previous Carbon Spider campaign also used an email template claiming to be from the Federal Service for Supervision of Communications, Information Technology & Mass Communications as a lure, states the post.
In that campaign, the threat player used a PowerShell-based remote-access trojan (RAT) in a hidden PowerShell script that used a combination of Base64 & custom obfuscation, outlines the post.
RAT
Inside the script was a RAT that could move the attack to the next stage & execute various payloads, including a JavaScript, PowerShell, Executable or DLL.
“This RAT starts its activity by setting up some configurations which include the command-&-control, or C2 URL, intervals, debug mode & a parameter-named group that initialised with ‘Madagascar’ which probably is the alias of the threat actor,” Jazi wrote.
Potential Victims
Based on MalwareBytes’ observations of the domains targeted in the campaign, potential victims are from a number of regional & federal govt. organisations.
These include the authorities of the Chuvash Republic Official internet portal; the Russian Ministry of Internal Affairs; the Ministry of Education & Science of the Republic of Altai; the Ministry of Education of the Stavropol Territory; the Minister of Education & Science of the Republic of North Ossetia-Alania; & the Ministry of Science & Higher Education of the Russian Federation.