Russian Govt Impersonators Target Telcos in Phishing Attacks
A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries.
The phishing emails pretend to come from the Russian Government’s Federal Bailiffs Service and are written in the Russian language, with the recipients being telecommunication service providers and industrial firms in Lithuania, Estonia, and Russia.
DarkWatchman has been linked to Russian threat actors before, focusing primarily on targeting organizations in their own country.
In this campaign, discovered by IBM’s X-Force team, the threat group is identified as Hive0117, and they appear to take advantage of the turbulence in the region, which is currently facing a variety of malicious cyber activities.
In many of the cases seen by X-Force, the phishing emails targeted the owners of companies or at least high-ranking employees.
The sender’s address imitates an authentic one from the Russian Ministry of Justice, for example, “mail@r77[.]fssprus[.]ru”, and the email body also features the real emblem.
The subject of the emails is typically something compelling that will convince the recipient to open the attachment, which is a ZIP archive named ‘Исполнительный лист XXXXXXX-22’ or ‘Счет 63711-21 от 30.12.2021.zip’.
“The contents of the emails feature identical Russian-language text detailing several articles related to enforcement procedures associated with the Kuntsevsky District Court of Moscow, upheld by the ‘Bailiff of the Interdistrict Department of Bailiffs for the Execution of Decisions of the Tax Authorities’,” explains IBM in their report.
The attached ZIP file attachments contain executables that drop DarkWatchman on the compromised machine, along with a copy of the encrypted keylogger.
X-Force’s analysis also reveals that the DarkWatchman strain used by Hive0117 employs a domain generation algorithm (DGA) to generate C2 domains, making its infrastructure mapping and take-down harder.
Also Read: How to: Effectively prevent email spoofing
“While the target list of the phishing campaign attributed to Hive0117 has regional associations with the Russian invasion of Ukraine, the activity predates the invasion, indicating they’re separate from any politically charged associations that have spurred recent waves of criminal activity,” explains IBM
The threat group appears to be motivated by financial profit, and they’re likely targeting entities with a large user base to access their client pool indirectly.
The use of DarkWatchman, a file-less malware, is categorizing Hive0117 as a semi-sophisticated actor, still capable of causing significant damage to organizations in Eastern Europe.