Hackers target Russian government: fake Windows updates deliver RATs

Researchers discover new malware attacks aimed at Russian government entities

Russian government attacked by hackers who deliver RATs

Attackers target Russian government agencies with phishing campaigns. These emails pretend to be Windows security updates and lure recipients into installing the remote access malware on the machine.^[1] These attacks are conducted by the new advanced persistent threat group that is linked to China hackers.^[2] This APT is already linked to other spear-phishing campaigns targeting Russia, particularly since the Russo-Ukrainian war that started in February.

The ultimate goal of these attacks is to infect targets with the custom remote access trojan that is commonly used in espionage campaigns like this. RAT malware can be used to open the backdoors on the system for additional malware or hackers and directly run as the information stealer virus. These threats can be used to surveil the computers that are infected and run commands on it remotely, as researchers from Malwarebytes said.^[3]

The group associated with these attacks is a Chinese hacking crew whose operations have been overlapping with RAT and Sakula Rat malware used by the threat actors known as Deep Panda. This particular attack chain reported recently used various lures over the course of attacks. Those changes in the malware are small and only reside in the source code.

Phishing campaigns using UA indications as a lure

This attack chain started days after the invasion of Ukraine in February 2022, and it was ongoing for the last few months. The RAT malware^[4] was delivered using the file names interactive_map_UA.exe. This particular fact shows how criminals can adapt and adjust to the theme in the world and manipulate these vectors to achieve their attack goals. This is the lure that is up-to-date and maximizes the changes, or success for attackers.

The second round of the attack shows more preparation on the hackers' end because the attack is more sophisticated. Hackers used the tar.gz archive that was supposed to be a fix for the Log4Shell flaw sent by the Ministry of Digital Development, telecommunications, and Mass Communications of the Russian Federation. The flaw made headlines due to attacks back in 2021.^[5]

The email message also came with the PDF file that contained instructions for the installation of this patch. Also, listed the best security practices to follow. These included the two-factor authentication enabling, using the Kaspersky antivirus tool, and staying away from replying to suspicious emails.

Third campaign round spoofing Rostec

Another campaign of the attack followed the last two and made use of the malicious executable file – build_rosteh4.exe. This was the attempt to pass off the malware as though it was from Rostec – a Russian state-owned defense conglomerate. Actors used the newly registered domains like Rostec.digital and fake Facebook accounts too. These were used to spread the malware while making the impression that the entity is already known and legitimate.

In April 2022, these hackers switched to the macro-infected Word document with the fake job advertisements by Saudi Aramco, the large oil and natural gas firm. This document used the remote template injection to fetch the malicious template and drop the VBS script. This acted as a trigger for the infection chain resulting in the RAT deployment.

The DLL file that is the malware payload has various advanced tricks to evade analysis and incorporated features that allow the malware to execute commands in the infected machine. These attacks are following other researchers' analyses of different Chinese APT groups like Stone Panda and Mustang Panda.