Malicious software dissemination campaign (updated)

The National Computer Emergency Response Teamsees the use of third-party postal services in official activities as one of the main vectors of threats for state bodies and organizations.

At the beginning of 2020 we recorded another campaign to send malicious software (hereinafter referred to as malware) to users of the national segment of the Internet.

At the same time one of the features is that this campaign was carried out by cybercriminals using compromised e-mail accounts of real employees, and not fake identities.

CERT.BY managed to establish that the mailing was carried out from the 11th to 13th February 2020.

Currently the accounts (4) used for mailing malware have been identified.

Hacking

Attackers gained access to compromised accounts of the following e-mail boxes:

  • rkgivov@tut.by
  • niipulm@tut.by
  • minzcgie@tut.by
  • konf.amia@tut.by

At the same time, the mail hosting tut.by itself has been using the yandex service since 2015 (https://42.tut.by/435592) :

$ host -t mx tut.by

tut.by mail is handled by 10 mx.yandex.ru.

Messages containing malware were sent on behalf of these e-mail boxes.

To clarify the method and time of obtaining access to the specified e-mail boxes CERT.BY sent appropriate requests.

Malware dissemination

Messages containing malware were written in Russian, the attackers used a standard social engineering technique indicating the topics of letters that were relevant to the national segment in February 2020 or standard content and topics for the professional activities of the addressees. Below there is a list of topics that attackers used in their mailing lists:

• «Coronavirus in Belarus is confirmed»

• «The Academy of the Ministry of Internal Affairs – conference materials»

In addition, the sent letters contained links (the displayed in the letter and the real link usually differ, in particular, the message showed a link to Yandex disk but in fact the link was downloaded from the domain theslidershare[.]com, filedownload[.]email or downloadsprimary[.]com) that downloaded the script that starts downloading the pdf-file and unpacks the exe file. Next the script runs an executable file (exe file).

COMMAND AND CONTROL CENTER

During the technical analysis of the activities of a group of cybercriminals it was possible to establish the IP addresses and domain names of the command and control centers (C&C) that control the dissemination of malware.

http[:]//wildboarcontest[.]com

108.170.55.202

SPREAD

The campaign has become widespread among users of the national segment of the Internet. We have found many victims in different organizations. The malware was addressed to employees of state bodies and organizations, legal entities and individuals in the amount of more than 100.

The mailing was carried out to the following state bodies:

• the Council of the Republic;

• the Council of Ministers;

• Ministry of Economics;

• Ministry of Finance;

• Ministry of Industry;

• Ministry of Information;

• State Committee for Standardization;

• A number of law enforcement agencies as well as to individuals and legal entities.

Currently the investigation of the activities of this group of cybercriminals is ongoing in order to clarify various circumstances and conditions!

COMPROMISE INDICATORS

  • wildboarcontest[.]com
  • theslideshare[.]com
  • filedownload[.]email
  • downloadsprimary[.]com
  • the presence of the «MediaCodec» key in the registry branch HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • the presence of «Client Runtime Manager.exe» file or «Usermode COM Manager.exe» file in %temp% folder (e.g. C:\Users\user\AppData\Local\Temp)