Research of a focused assault on a Russian enterprise within the mechanical-engineering sector


Obtain PDF

March 11, 2024


In October 2023, Physician Net was contacted by a Russian mechanical-engineering enterprise that suspected malware was on certainly one of its computer systems. Our specialists investigated this incident and decided that the affected firm had encountered a focused assault. Throughout this assault, malicious actors had despatched phishing emails with an attachment containing the bug liable for the preliminary system an infection and putting in different malicious devices within the system.

The objective of this assault was to gather delicate details about the workers in addition to to assemble knowledge concerning the firm’s infrastructure and its inner community. As well as, we detected that knowledge had been uploaded from the contaminated laptop; this included information saved on the pc and screenshots taken whereas the malware was in operation.

Common details about the assault and the instruments concerned

In early October 2023, malicious actors despatched a number of phishing emails to the e-mail deal with of the affected firm. The topic of the messages was associated to an “investigation” of sure legal instances of tax evasion. These emails have been supposedly despatched on behalf of an investigator with the Investigative Committee of the Russian Federation and contained two attachments. The primary one was a password-protected ZIP archive. It hid a bug which, when executed, initiated the system an infection course of. The second attachment, a PDF doc, was not malicious. It contained a phishing textual content stating that each one the details about the “legal case” was within the archive and inspired the consumer to open the bug from it.

The very first such phishing message contained the ZIP archive Трeбoвaниe 19098 Cлед ком РФ от 02.10.23 ПАРОЛЬ – For its half, the trojan app in it was hid within the file Перечень юридических лиц и предприятий, уклонение от уплаты налогов, требования и дополнительные.exe.

One of many final messages despatched is the one proven under:


The phishing PDF doc Требование следователя, уклонение от уплаты налогов (запрос в рамках УД).pdf and the ZIP archive Трeбoвaниe 19221 СК РФ от 11.10.2023 ПАРОЛЬ – have been hooked up to it. The archive contained the next gadgets:


Much like of their earlier messages, the attackers indicated the password for extracting information from the archive, each in its identify and within the identify of the doc Пароль для открытия 123123123.odt. This doc itself, in addition to the information Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.pdf and the СК РФ.png, weren’t malicious.

This archive contained two copies of the trojan software: Перечень предприятий, уклонение от уплаты налогов, а также дополнительные материалы.exe and Дополнительные материалы, перечень вопросов, накладные и первичные документы.exe.

In all instances, Trojan.Siggen21.39882 was the bug distributed by attackers. This malware, also called WhiteSnake Stealer, is offered on the DarkNet and is used to steal account knowledge from a wide range of software program and to hijack different knowledge. Furthermore, it will probably obtain and set up different malicious apps on attacked computer systems. Within the focused assault in query, it was assigned the position of initiating the primary an infection stage. After receiving the corresponding instructions, this trojan collected and transmitted to the attackers details about configuring Wi-Fi community profiles within the contaminated system in addition to the passwords for accessing them. It then launched an SSH proxy server and put in the second stage within the system.

The second stage, and concurrently the menace actors’ essential instrument, was the JS.BackDoor.60 malicious backdoor program. It was the software by means of which the primary interplay between the attackers and the contaminated system occurred. One of many backdoor’s options is that it makes use of its personal JavaScript framework. The trojan consists of the first obfuscated physique and extra modules that, owing to the specifics of the malware’s structure, are concurrently a trojan part and the duties that it executes through the JavaScript capabilities they share. The trojan receives new duties from its C&C server, and de facto they flip it right into a multi-component menace with expandable performance, which permits it for use as a strong cyberespionage instrument.

The mechanism that JS.BackDoor.60 used to supply itself with the autorun capacity can also be of curiosity. Together with using a conventional technique—including vital adjustments to the Home windows registry—the trojan modified the shortcut information (.lnk) in a selected approach. For this, it verified the contents of a lot of system directories, together with the Desktop and taskbar directories. For all of the shortcut information it present in them (excluding Explorer.lnk or Проводник.lnk), it assigned this system wscript.exe as a goal app for launching. On the identical time, it added particular arguments for its execution, certainly one of which was the Alternate Information Stream (or ADS), by which the backdoor physique was written. On account of the adjustments, the modified shortcuts launched the JS.BackDoor.60 first, and solely after that―the preliminary applications.

All through the entire assault, malicious actors have been actively sending varied instructions to the backdoor. With its assist, they stole the contents of dozens of directories from the contaminated laptop, which contained each private and company knowledge. Furthermore, we discovered proof that the trojan had created screenshots.

The extra spying instrument on this assault was the BackDoor.SpyBotNET.79 bug, which was used for audio surveillance and for recording conversations by means of the microphone hooked up to the contaminated laptop. This trojan recorded audio solely when it detected a sure sound depth―particularly, one attribute of a voice.

On the identical time, the attackers additionally tried to contaminate the system with the Trojan.DownLoader46.24755 downloader trojan, however failed on account of an error that occurred.

The chronology of the assault is proven within the subsequent illustration:


The chronology of the duties acquired by JS.BackDoor.60:


The evaluation carried out by our specialists didn’t clearly point out the involvement of any of the beforehand recognized APT teams on this assault.

For detailed technical descriptions of the malicious applications detected, please consult with the PDF model of the research or go to the Physician Net virus library.

Extra particulars on Trojan.Siggen21.39882

Extra particulars on JS.BackDoor.60

Extra particulars on BackDoor.SpyBotNET.79

Extra particulars on Trojan.DownLoader46.24755


The usage of malicious devices, which can be found as a business service (MaaS ― Malware as a Service), akin to Trojan.Siggen21.39882, permits even comparatively inexperienced malicious actors to hold out fairly delicate assaults towards each companies and authorities companies. For its half, social engineering nonetheless poses a severe menace. It is a comparatively easy however efficient approach to bypass a built-in safety layer, and it may be utilized by each skilled and novice cybercriminals. On this regard, it’s particularly vital to make sure that your entire infrastructure of an enterprise is protected, together with its workstations and electronic mail gateways. Furthermore, it’s endorsed to conduct periodic coaching classes for workers on the subject of knowledge safety and to familiarize them with present digital threats. All these measures will assist scale back the chance of cyber incidents and reduce the injury from assaults.

Indicators of compromise


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *