Moscow Ring Railway Website Infected with Panda Trojan

Experts from Kaspersky Lab have reported to RBC about the compromise of the official website of the Moscow Ring Railway (MKZD). The site was infected with the Panda banking trojan.

According to Kaspersky Lab’s press service, the malicious activity was discovered on July 8, 2019, and the MKZD website had been infected since the previous weekend. Analysts estimate that several thousand users worldwide were put at risk (with only 27% of attacks targeting Russia).

Details of the Attack

According to RBC and security researchers, the attack was carried out in several stages. First, the operators of this campaign infected victims’ computers with malware using classic phishing emails containing malicious documents. In the second stage, the MKZD website itself was hacked and infected. The malware on victims’ computers then connected to the compromised site to receive commands from the attackers to download the virus. The downloaded malware, in turn, installed the well-known Cobalt Strike tool on the victim’s system.

“They attack a legitimate resource, which may be included in so-called whitelists, and if the breach is successful, they place malicious software components on it,” the analysts explained.

Current Status

Kaspersky Lab specialists, together with the Moscow Department of Information Technology (DIT), have already resolved the issue with the MKZD website. However, Google is still warning users that the site may have been hacked, and at the time of writing, the resource was completely unavailable, returning a 502 error.