Carding 4 Carders
Professional
From phishing to password theft: how the attacks on Russian institutions took place.
Russian institutions from the state and industrial sectors have become victims of a massive cyberattack detected by Kaspersky Lab . Attackers used phishing emails with a malicious archive attached, which launched a new backdoor on infected devices. The attack was aimed at stealing data such as screenshots, documents, browser passwords, and clipboard information.
The attack began in June 2023 and lasted until mid-August. The attackers sent emails imitating official messages from the regulator, with a forged PDF document and a malicious archive. If the victim opened the archive, the [NSIS].nsi script was run on their device, which installed a backdoor in a hidden window. At the same time, the name of the site from which the malware was downloaded imitated the site of the official agency.
After launching, the malware checks Internet access and tries to connect to legitimate web resources — foreign media. It then checks the infected device for software and tools that could detect its presence — such as sandboxes or virtual environments. If there was at least one, the backdoor stopped its activity. When all the checks were passed, the malware connected to the attackers server and loaded modules that allowed it to steal information from the clipboard, take screenshots, and find user documents in popular extensions (for example, doc,. docx, .pdf, .xls,. xlsx). All data was transmitted to the management server.
In mid-August, the attackers updated their backdoor, adding a new module for stealing passwords from browsers and increasing the number of checks of the environment. The infection chain remains the same. Among the differences — the attackers removed the Internet access check by accessing legitimate web resources: now the malware immediately connected to the management server. Also in the arsenal of malware appeared a module that allowed you to steal passwords from browsers. In addition, the number of environment checks for tools that can detect malicious activity has increased.
Russian institutions from the state and industrial sectors have become victims of a massive cyberattack detected by Kaspersky Lab . Attackers used phishing emails with a malicious archive attached, which launched a new backdoor on infected devices. The attack was aimed at stealing data such as screenshots, documents, browser passwords, and clipboard information.
The attack began in June 2023 and lasted until mid-August. The attackers sent emails imitating official messages from the regulator, with a forged PDF document and a malicious archive. If the victim opened the archive, the [NSIS].nsi script was run on their device, which installed a backdoor in a hidden window. At the same time, the name of the site from which the malware was downloaded imitated the site of the official agency.
After launching, the malware checks Internet access and tries to connect to legitimate web resources — foreign media. It then checks the infected device for software and tools that could detect its presence — such as sandboxes or virtual environments. If there was at least one, the backdoor stopped its activity. When all the checks were passed, the malware connected to the attackers server and loaded modules that allowed it to steal information from the clipboard, take screenshots, and find user documents in popular extensions (for example, doc,. docx, .pdf, .xls,. xlsx). All data was transmitted to the management server.
In mid-August, the attackers updated their backdoor, adding a new module for stealing passwords from browsers and increasing the number of checks of the environment. The infection chain remains the same. Among the differences — the attackers removed the Internet access check by accessing legitimate web resources: now the malware immediately connected to the management server. Also in the arsenal of malware appeared a module that allowed you to steal passwords from browsers. In addition, the number of environment checks for tools that can detect malicious activity has increased.
