MetaStealer Poses as Ministry of Digital Development Certificate
Cybersecurity experts from FACCT (formerly Group-IB) have warned that they intercepted phishing emails allegedly sent on behalf of the Russian Ministry of Digital Development. These messages urge recipients to urgently install a security certificate from the Ministry, claiming that failure to do so will result in problems accessing online banking and government services like Gosuslugi. In reality, the so-called certificate is actually the MetaStealer infostealer (a variant of the RedLine malware).
The fraudulent email states: βThe Ministry of Digital Development of the Russian Federation informs you that starting from 01/30/2024, users who have not installed the NUC Ministry of Digital Development certificates on their operating systems may experience issues accessing, up to and including complete loss of access, to services such as Gosuslugi, online banking, government resources, and a number of other Russian services.β (Spelling and punctuation preserved from the original message.)
Well-Crafted Phishing Attempt
Researchers note that, unlike most malicious spam, this email is written quite competently and is designed to appear trustworthy to potential victims. The βDownloadβ button shown in the screenshot leads to an archive containing a loader, which ultimately downloads the MetaStealer infostealer and steals various data from the victim.
Inside the archive are two identical executable files: russian_trusted_root_ca.cer.exe and russian_trusted_sub_ca.cer.exe (sha1: 5244539842ff4a2e58331aa6a825deb6246da8ee), both disguised as security certificates.
Use of Email Spoofing
Additionally, the attackers used email spoofing techniques to make it appear as though the phishing emails were sent from a legitimate address.
FACCT reports that MetaStealer has recently been used by the cyber-espionage group Sticky Werewolf. However, based on the techniques used in these new campaigns, it appears that other threat actors are involved, as the infostealer is available for purchase on the open market.