{"id":18617,"date":"2022-03-29T10:10:07","date_gmt":"2022-03-29T18:10:07","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/29\/news-12350\/"},"modified":"2022-03-29T10:10:07","modified_gmt":"2022-03-29T18:10:07","slug":"news-12350","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/03\/29\/news-12350\/","title":{"rendered":"New spear phishing campaign targets Russian dissidents"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Tue, 29 Mar 2022 18:02:48 +0000<\/strong><\/p>\n

This blog post was authored by Hossein Jazi.<\/em><\/p>\n

Several threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is activity monitoring these threats and has observed activities associated with the geopolitical conflict.<\/p>\n

More specifically, we’ve witnessed several APT actors such as Mustang Panda<\/a>, UNC1151<\/a> and SCARAB<\/a> that have used war-related themes to target mostly Ukraine. We’ve also observed several different wipers<\/a> and cybercrime groups such as FormBook<\/a> using the same tactics. Beside those known groups we saw an actor<\/a> that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables. <\/p>\n

On March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.<\/p>\n

The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike or a Remote Administration Trojan (Rat).<\/p>\n

Spear phishing as the main initial infection vector<\/h2>\n

These emails pretend to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation” and “Federal Service for Supervision of Communications, Information Technology and Mass Communications” of Russia.<\/p>\n

We have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. Sophos<\/a> has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.<\/p>\n