Multi-Stage Phishing Campaign Targets Russian Users with Ransomware
Overview of the Attack
A new multi-stage phishing campaign has emerged, specifically targeting users in Russia with ransomware and a remote access trojan (RAT) known as Amnesia RAT. Security researchers from Fortinet’s FortiGuard Labs have released a detailed analysis highlighting the techniques and strategies employed in this malicious operation.
The Initial Attack Vector
The attack begins with social engineering tactics that deliver seemingly innocuous business-related documents. According to Cara Lin, a researcher at Fortinet, these documents are designed to look routine and harmless. Accompanying scripts are deployed to distract users, thereby allowing malicious activities to occur unnoticed in the background.
Distinct Features of the Campaign
What sets this phishing campaign apart is its use of multiple public cloud services for distributing different payloads. GitHub is primarily used for hosting scripts, while binary payloads are stored on Dropbox. This separation complicates takedown efforts and significantly enhances the campaign’s resilience.
Another notable aspect of this attack involves the exploitation of a tool called DefendNot. Released by a security researcher known as es3n1n, this utility tricks Microsoft Defender into believing that an alternative antivirus program is already installed on the host system, effectively disabling it.
The Mechanics of the Infection
To initiate the attack, the campaign utilizes compressed archives containing decoy documents alongside a malicious Windows shortcut (LNK) file. The LNK file features a misleading double extension (e.g., “Задание_для_бухгалтера_02отдела.txt.lnk”) that aims to convince users that it is a simple text file.
Upon execution, the LNK file triggers a PowerShell command that retrieves a subsequent PowerShell script hosted on a GitHub repository. This script acts as the first-stage loader, establishing a presence on the target system, obscuring evidence of the attack, and facilitating the flow of control to additional stages.
Maintaining Stealth and Control
The PowerShell script first conceals the console window, which helps eliminate visible indicators of its activity. It then generates a decoy document stored on the victim’s local application data. Once this document is opened for the user to see, the script sends a notification to the attacker via the Telegram Bot API, confirming that its initial phase has been successfully executed.
After introducing a delay, the PowerShell script activates a highly obfuscated Visual Basic Script (VBS) that directly assembles the next-stage payload in memory. This method enables the malware to evade detection by avoiding the creation of artifacts on the disk.
Disabling Security Measures
Once operational, the final-stage script conducts various actions aimed at disabling endpoint security mechanisms. Among these actions are:
- Configuring Microsoft Defender exclusions to shield certain system directories from scans.
- Deactivating additional Defender components using PowerShell scripts.
- Registering a fake antivirus product in Windows Security Center to compel Defender to disable itself.
- Conducting reconnaissance on the target system through periodic screenshots captured by a dedicated module.
Furthermore, the script modifies registry settings to disable administrative tools, hijack file associations, and create prompts that direct victims to communicate with the threat actors via Telegram.
The Payloads: Amnesia RAT and Ransomware
One of the primary payloads unveiled during the attack is Amnesia RAT, capable of extensive data theft and remote control. It targets information stored in web browsers, cryptocurrency wallets, and communication platforms like Discord and Telegram, as well as metadata from the system itself.
Amnesia RAT facilitates unauthorized access and credential theft, cyber fraud, and allows real-time data gathering, making it a formidable tool for attackers.
In addition, a ransomware variant derived from the Hakuna Matata family is also deployed. This ransomware is designed to encrypt various file types on the infected system while actively monitoring and modifying clipboard contents to reroute cryptocurrency transactions to wallets controlled by the attackers.
Defensive Strategies for Users
To combat the misuse of the Windows Security APIs, Microsoft advises users to enable Tamper Protection, which prevents unauthorized alterations to Defender settings. Additionally, users should remain vigilant for any unusual API calls or changes to Defender services.
Ongoing Threat Landscape
The current threat environment also includes ongoing campaigns targeting Russian corporate sectors by actors like UNG0902 and Paper Werewolf. The former has employed spear-phishing techniques using decoy documents related to employee incentives, while the latter utilizes AI-generated methods to distribute malicious software.
These developments underscore the persistent and evolving nature of cyber threats in today’s digital landscape. Staying informed and employing effective security measures is crucial for safeguarding sensitive information.
