DarkWatchman RAT Targets Russian Companies Using Fake Pony Express Emails
Cybersecurity experts at FACCT have issued a warning about new activity involving the DarkWatchman RAT trojan. This time, attackers attempted to target Russian companies by sending fake email campaigns disguised as notifications from the popular courier service Pony Express.
Previously, DarkWatchman operators have attacked Russian organizations by disguising their malware as encrypted archives with the results of fake tenders from the Ministry of Defense, sending out fake military draft notices, and even creating a fraudulent website impersonating a Russian cryptographic software developer.
Typically, this RAT (Remote Access Trojan) is used for covert remote access to compromised devices, allowing attackers to execute various commands, such as downloading additional malicious modules, conducting espionage, and spreading further within the organization’s network.
Details of the Latest Attack
The latest phishing campaign targeted at least thirty recipients, including Russian banks, retailers and marketplaces, telecom operators, agricultural and energy companies, logistics firms, and IT companies.
The fraudulent email claimed that the recipient’s free storage period for a package was about to expire. The attached file, presented as an archive containing an invoice, actually delivered the DarkWatchman RAT.
Researchers discovered that the attackers sent these emails from the domain ponyexpress[.]site, which three years ago hosted a phishing page mimicking an online store. Notably, the multi-channel phone number listed in the email does belong to the real courier service. Currently, calling this number plays a warning message stating that emails from support@ponyexpress[.]site are fraudulent: “Please do not reply to the email and do not open any attached documents!”