During the monitoring of the national segment of the Internet by specialists of the National Computer Emergency Response Team of the Republic of Belarus (CERT.BY ), obtained samples of phishing messages distributed by malicious actors.
Analysis of the recipient list showed that the primary targets of the attack were government organizations located mainly in the Gomel region.
Taking into account the current foreign policy situation, the attacker used social engineering techniques aimed at increasing confidence in the letter. To achieve this, the subject line, sender’s name, signature, and the attachment name were used.
Technical details of the phishing email:
- Date: 2025-07-17;
- From: gomelvoenkom@mail[.]ru (It is not used by the Military Commissariat of the Gomel region);
- Received: by f127.i.mail.ru with local (envelope-from <gomelvoenkom@mail[.]ru>) id 1ucJNk-0004Xb-ED; Received: from f127.i.mail.ru (f127.i.mail.ru [45.84.128.36]);
- Subject: TO ASSIST THE STAFF OF MILITARY COMMISSARIATS;
- Attachment: Propaganda materials of the Military Commissariat.rar (md5: 312ba524eb5be87bc4c37a2a82a7aaa0, на VirusTotal There was no information about this archive at the time of the hash check) https://www.virustotal.com/gui/search/312ba524eb5be87bc4c37a2a82a7aaa0.
Inside the archive: Propaganda materials+Military commissar.exe: PE32 executable (GUI) Intel 80386, for MS Windows (md5: 82b9fbd467ad1de2695f79cba4137928, https://www.virustotal.com/gui/file/fa6d9528488ad2aca13f7ef00f29b097af82fa5650a0658b427012bb4e808378)
When starting an instance, a stub document opens with the following content:
Technical details from the instance analysis:
- The instance is a XenoRat client — https://github.com/moom825/xeno-rat;
- It uses Task Scheduler to secure it in the system. It creates a task named DocxReader Service;
- Copies itself to the user’s Roaming directory: C:\Users\<user_name>\AppData\Roaming\XenoManager\document.exe;
- Creates a file at startup C:\Users\<user_name>\AppData\Local\Temp\document.docx;
- Generates requests for the next CC: 195.66.213[.]181:4444.
XenoRat features and functionality expansion mechanism
During the analysis of the XenoRat malware, it was found that by default the tool has a wide range of remote administration functions, including:
- The blue screen of death on Windows;
- Imitation of the “Blue screen of death on Windows”;
- Arbitrary text output in the MessageBox window;
- Peripheral health management (turning on/off the monitor, opening/closing the drive);
- Getting an image from a webcam;
- Record audio stream from microphone;
- Keylogging;
- Screen recording;
- Management of registry entries;
- File operations in the system;
- Process management;
- Theft of credentials;
- Adding to auto-upload;
- Reboot or shutdown the system.
In XenoRat, command processing is handled by the DllHandler module, which implements dynamic loading and execution of code from external libraries. Each library must contain a “Plugin.Main” class with a “Run” method.
Thanks to this mechanism, attackers are able to develop and integrate additional modules, expanding the functionality of the program for specific attack targets.
Recommendations CERT.BY
Be careful: recently, there has been an increase in phishing attacks, which is associated with both the expansion of digitalization and lack of user awareness. The attackers are actively improving their methods, using elements of social engineering and fake web resources. Only an integrated approach to information security makes it possible to reduce risks and minimize possible damage.
In connection with all of the above, CERT.BY recommends following the following rules:
- Eliminate the use of “weak” passwords, including simple numeric sequences, dates of birth, repeated characters, or other easily guessed combinations;
- To abandon the practice of using the same password for different services and accounts;
- Pay special attention to the content of emails, including those from known senders, as their mailboxes may be spoofed or compromised;
- Refrain from clicking on hyperlinks in questionable emails, as well as from opening attachments and especially password-protected archives from unreliable sources;
- If you have doubts about the authenticity or security of electronic messages, attachments, or links, immediately consult information security specialists or system administrators of your organization.
In addition, it is recommended to check information systems and personal computers for signs of compromise indicated in the article, as well as follow the published recommendations and keep an eye on updates CERT.BY.
If a threat is detected, please inform us by CERT.BY e-mail: support@cert.by.
For convenience and timely notification of news, subscribe to us on social networks:
