As part of international cooperation, the The National Computer Emergency Response Team (CERT.BY ) of the Republic of Belarus implemented a set of measures in the first quarter of 2025 aimed at countering the spread of cyber threats and minimizing potential damage in the national segment of the Internet.
During ongoing monitoring, phishing emails containing malicious software were detected. Analysis of the malware revealed the use of Snake Keylogger as the payload — a stealer-type malware designed to extract web browser credentials, capture clipboard contents, collect system information, IP address, and geolocation data of the infected host, as well as perform keylogging and take desktop screenshots.
This malware is distributed under a Malware-as-a-Service (MaaS) model and is provided by attackers on a commercial basis to interested parties.
Example of a phishing email
The fixed CERT.BY phishing mailing was carried out from a previously compromised corporate email account of a state-owned enterprise hosted by an unauthorized service provider.
Authentication was performed via the webmail service of Active Technologies LLC webmail.active[.]by:25 using the SMTP protocol.
The sent emails and authorization logs were not saved because the owner did not make the necessary additional settings for his service, and the SMTP protocol itself is intended solely for transferring emails from the sender to the mail server or between servers and does not manage the storage or deletion of emails.
Consequences Identified
The investigation revealed cases of compromise of hosts in both the public and private sectors of the Republic of Belarus. In particular, organizations in the following industries were affected:
- Retail
- E-commerce
- Online services
- Banking sector
Identified signs of fixed phishing mailings:
Registered addressees:
- info@svyaznoy[.]com
- cfo@tteb[.]shop
Message topics:
- order request suggestion
- Re: NPZ Contract
- RFQ-PR 1-62557 & 38929 CÔNG TY TNHH TECH BINH THANH ORDER
Attachments:
In some cases, it was found directly in the letter, and in others, it was downloaded additionally.
- order request suggestion.rar (md5 — 2a0c3095492e2181d5db0c16f56d73b7) – contains the archived copy itself
- NPZ contract.pdf (md5 – 208414e07351f4a89629e13f8aa71351) – contains a download link
- Scan_document00098982998943.pdf (md5- 510e9ccfa9bb6b87b86d769c7294d954) – contains a download link
- AVB818124.rar (md5 – a58e96364fe93706f5dda404ff6852e2) – a dropper that collects the next stage of the VPO (snakekeylogger), but there is no network interaction with this dropper
- Remington.exe (md5 – 4c8c1ceb91408ad5a5011b56b325419e) — SnakeKeylogger
Network signs of droppers:
- https[:]//rb[.]gy/86gjwk -> https[:]//www.dropbox[.]com/scl/fi/lq69tvtf0xr0evosfz524/Scan-documents64567436872q39878pdf342677909.rar?rlkey=97kzboq250ul2l9zjdyj1e82n&st=hk1eolj7&dl=1
- https[:]//sustainabuz[.]com/redir.html ->https[:]//ucarecdn[.]com/284fd1ce-7457-44c8-a85c-8eea6e7f15ea/Scan_document0021000900000000[.]zip
- https[:]//ucarecdn[.]com/02bd07f9-33de-4055-ab8c-318038bcceb6/ScanDocument00975486728724[.]zip
Network Signs of SnakeKeylogger:
- FTP — 50.31.176[.]103
- checkip.dyndns[.]org (158.101.44[.]242, 193.122.130[.]0)
- reallyfreegeoip[.]org (188.114.97[.]11, 188.114.97[.]0, 104.21.67[.]152)
- srv256.prodns[.]com.]br (162.241[.]203.25)
- api.telegram[.]org (149.154.167[.]220)
- unassigned.quadranet[.]com (69.174.100[.]131) loads the next stage of the malware
- aborters.duckdns[.]org (192.169.69.26)
- 51.38.247[.]67
Network signs of SnakeKeylogger (requests to the Telegram API and IP verification services are “weak” signs and require legitimacy verification).
In connection with all of the above, CERT.BY recommends following the next rules:
- Avoid using weak passwords, including simple numeric sequences, birth dates, repeated characters, or other easily guessable combinations.
- Eliminate the practice of using the same password for different services and accounts.
- Pay special attention to the contents of emails, including messages from known contacts, as their mailboxes may be spoofed or compromised.
- Do not click on hyperlinks in questionable emails, do not open attachments, and especially do not unpack password-protected archives obtained from unreliable sources.
- If you have doubts about the authenticity or security of electronic messages, links, or files, you should immediately consult information security specialists or your organization’s system administrator.
Additionally, it is recommended to perform a thorough scan of your information systems and personal computers for signs of compromise, follow our security recommendations, and stay informed through our updates.
If a threat is detected, please inform us by CERT.BY e-mail: support@cert.by.
For convenience and timely notification of news, subscribe to us on social networks:
