Cybercriminal experts have discovered a phishing operation designed to infect victims with a malicious backdoor, using command-and-control domains that intentionally spoofed the real-life domains of various Russian critical infrastructure firms, experts at U.S. software company Cylance have revealed in a blog post.
At first glance, the campaign’s focus on critical infrastructure gave it the appearance of a cyberespionage operation, but upon closer inspection, researchers found that the motivation appears to actually be financial in nature.
“The effort required to set up those domains seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure,” explains the blog post. And yet, this seems to be the case, as the targeted companies were largely the same as those listed in a 2017 Forbes article written by CEO of Russian cybersecurity company Group-IB Ilya Sachov, who detailed a criminal scheme in which actors used lookalike C2 domains for a fraud and credentials-harvesting operation.
Cylance’s report identifies Russian oil company Rosneft as among the most prominent companies whose domains were spoofed for command-and-control purposes, along with more than two dozen oil, gas, chemical, agricultural and other critical infrastructure organizations, as well as Russian financial exchanges. Examples included Russian holding company HCSDS (aka Siberian Business Union), and fertilizer companies Mendeleevazot and EuroChem.
Cylance discovered the campaign in early 2018, but found that the perpetrators behind it started up their operations three years earlier, initially targeting Steam users and the gaming community before shifting strategies. Their choice of malware throughout this time period was a variant of the RedControle backdoor.
According to Cylance, RedControle can upload and download files, manipulate files and folders, compress and decompress files using ZLIB, communicate drive and host information (including IP addresses, hostname, attached drives, keystrokes and clipboard data), elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes.
The software company said that the phishing campaign used Microsoft Office documents containing malicious macros in order to infect victims with a dropper that ultimately produces RedControle, along with a Sticky Keys backdoor — all while displaying an image of a holiday gift.
