Mass Cyberattacks Target Dozens of Russian Organizations: Hackers Use New Backdoor

Russian institutions in both the government and industrial sectors have fallen victim to a large-scale cyberattack, as reported by Kaspersky Lab. The attackers used phishing emails containing a malicious archive, which, when opened, launched a new backdoor on infected devices. The main goal of the attack was to steal data such as screenshots, documents, browser passwords, and information from the clipboard.

How the Attack Unfolded

The attack began in June 2023 and continued until mid-August. The perpetrators sent emails that mimicked official messages from a regulatory authority, including a fake PDF document and a malicious archive. If the victim opened the archive, a script called [NSIS].nsi would run, installing the backdoor in a hidden window. The website used to download the malware closely resembled the official agency’s site.

Backdoor Functionality and Evasion Techniques

Once launched, the malware checked for internet access and attempted to connect to legitimate web resources, such as foreign news sites. It then scanned the infected device for software and tools that could detect its presence, like sandboxes or virtual environments. If any such tools were found, the backdoor would stop its activity. If all checks were passed, the malware connected to the attackers’ server and downloaded modules that allowed it to steal clipboard data, take screenshots, and search for user documents in popular formats (such as .doc, .docx, .pdf, .xls, .xlsx). All stolen data was sent to a command-and-control server.

Attack Evolution and New Features

In mid-August, the attackers updated their backdoor, adding a new module to steal browser passwords and increasing the number of environment checks. The infection chain remained the same, but with some differences: the attackers removed the internet access check via legitimate web resources, and the malware now connected directly to the command-and-control server. The new version also included a module for stealing browser passwords and performed more thorough checks for tools that could detect malicious activity.