In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway.
The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country.
The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim.
The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails.
Various phishing methods
To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service.
The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications."
To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body.
Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting.
All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike.
The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations:
- Portal of authorities of the Chuvash Republic Official Internet portal
- Russian Ministry of Internal Affairs
- ministry of education and science of the Republic of Altai
- Ministry of Education of the Stavropol Territory
- Minister of Education and Science of the Republic of North Ossetia-Alania
- Government of Astrakhan region
- Ministry of Education of the Irkutsk region
- Portal of the state and municipal service Moscow region
- Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.