Phishing attacks in Russia are reaching a new level of sophistication.
F. A. C. C. T warns of a new wave of targeted phishing attacks on users of state-owned online services in Russia. The attackers send fake emails allegedly from the Ministry of Digital Development of Russia with a request to urgently install special security certificates.
According to analysts of the F. A. C. C. T. Cybersecurity Center, the mailing was conducted on January 25 by spoofing — spoofing the sender's address under the legitimate address of the Ministry of Digital Resources.
"From 30.01.2024, users who have not installed certificates of the NUC of the Ministry of Digital Development of the Russian Federation on their operating systems may have problems with access, even if it is completely absent, to such services as: Public Services, online banking, state resources, and a number of other Russian services," the attackers said.
Unlike typical phishing emails, these messages were designed professionally and looked plausible. The "Download" button in the email led to an archive with a loader, and at the end of the entire chain, the MetaStealer styler (a type of the well-known RedLine Stealer malware) was loaded.
"MetaStealer is a spyware designed to steal confidential data from a victim's computer. It first appeared in 2022 and is distributed through phishing mailings," the Cybersecurity Center explained.
The message text also contained a link that downloads the archive when clicked on russian_trusted_ca_ms.cer.rar from the malicious resource hXXps://wb4o[.]com/click?key=667d6c67929b40aa205b&sub1=user@example[.] en, where instead of user@example[.] en specifies the real email address of the potential target of the attack. Inside the archive were two identical executable files russian_trusted_root_ca.cer.exe and russian_trusted_sub_ca.cer.exe masquerading as security certificates. In fact, instead of a certificate, the malicious resource is eventually downloaded from the MetaStealer spyware, which collects sensitive data from the victim's computer.
According to the company's experts, recently MetaStealer was actively used by the hacker group Sticky Werewolf, however, judging by the features of this attack, another group may be behind it, since the styler is available for free sale.
F. A. C. C. T warns of a new wave of targeted phishing attacks on users of state-owned online services in Russia. The attackers send fake emails allegedly from the Ministry of Digital Development of Russia with a request to urgently install special security certificates.
According to analysts of the F. A. C. C. T. Cybersecurity Center, the mailing was conducted on January 25 by spoofing — spoofing the sender's address under the legitimate address of the Ministry of Digital Resources.
"From 30.01.2024, users who have not installed certificates of the NUC of the Ministry of Digital Development of the Russian Federation on their operating systems may have problems with access, even if it is completely absent, to such services as: Public Services, online banking, state resources, and a number of other Russian services," the attackers said.
Unlike typical phishing emails, these messages were designed professionally and looked plausible. The "Download" button in the email led to an archive with a loader, and at the end of the entire chain, the MetaStealer styler (a type of the well-known RedLine Stealer malware) was loaded.
"MetaStealer is a spyware designed to steal confidential data from a victim's computer. It first appeared in 2022 and is distributed through phishing mailings," the Cybersecurity Center explained.
The message text also contained a link that downloads the archive when clicked on russian_trusted_ca_ms.cer.rar from the malicious resource hXXps://wb4o[.]com/click?key=667d6c67929b40aa205b&sub1=user@example[.] en, where instead of user@example[.] en specifies the real email address of the potential target of the attack. Inside the archive were two identical executable files russian_trusted_root_ca.cer.exe and russian_trusted_sub_ca.cer.exe masquerading as security certificates. In fact, instead of a certificate, the malicious resource is eventually downloaded from the MetaStealer spyware, which collects sensitive data from the victim's computer.
According to the company's experts, recently MetaStealer was actively used by the hacker group Sticky Werewolf, however, judging by the features of this attack, another group may be behind it, since the styler is available for free sale.
