Kaspersky Lab Detects Two Waves of Malicious Email Attacks Targeting Russian Companies

By Ava McKinneyOnline Safety

Kaspersky Lab Identifies Two Waves of Malicious Email Campaigns

In early July, Kaspersky Lab specialists detected two waves of targeted email campaigns containing malicious archives or links. These emails, aimed at Russian companies, were sent to about 1,000 employees across manufacturing, finance, energy sectors, and government agencies.

Details of the Attacks

  • The first wave occurred on July 5 and affected around 400 users.
  • The second, larger wave was observed on July 10, targeting over 550 users.

In some cases, attackers posed as business partners of the targeted organizations, replying to existing email threads. Researchers believe hackers used compromised email accounts or previously stolen correspondence to do this. Continuing an existing conversation increases the likelihood that recipients will trust the message.

Attack Methods

The attackers distributed a RAR archive, either as an attachment or via a Google Drive link in the email body. In most cases, the archive was password-protected, with the password provided in the email. Inside the archive was a decoy document and a folder with the same name, containing a file usually with a double extension (for example, “Invoice.pdf .exe”). This archive structure was used to exploit a vulnerability in WinRAR (CVE-2023-38831), discovered last year.

The attackers frequently changed the pretext under which they asked recipients to download and open the malicious archive, creating unique and convincing email texts to avoid suspicion.

Malware Details

If the mentioned file was opened, malware from the Backdoor.Win64.PhantomDL family would be installed on the victim’s device. This malware is written in Go, heavily obfuscated, and uses a non-standard version of the UPX packer. PhantomDL was first detected in March 2024, following its predecessor PhantomRAT, which was written in .NET. Essentially, it is the same software, just written in a different language.

The malware was used to install and run various malicious utilities, including remote administration tools. Researchers observed the installation of utilities like rsockstun and ngrok for traffic tunneling, sshpass for SSH access, and others during such attacks.

Additionally, this backdoor is used to upload various files from the victim’s computer to the attackers’ server. Typically, these are results and logs from different utilities, but any confidential documents could also be uploaded.

Attribution and Previous Campaigns

Based on the malware used, indicators of compromise, and the tactics, techniques, and procedures of the attackers, experts believe the PhantomDL attacks are linked to the hacker group Head Mare.

The report also notes that similar campaigns-by design, targets, names, and attachment formats-have been observed before, but with different malware. From late April to early June 2024, researchers found emails with similar content: attachments allegedly containing documents password-protected at the ministry’s request, with the password provided in the email text.

These emails distributed samples of the DarkWatchman RAT malware, which gives attackers remote access to the infected system.

Leave a Reply