HQ/EMEAFind out how we can help your business
A new phishing campaign uses banned apps in Russia to deceive targets. Based on reports, the threat actors have leveraged these applications to lure Russian targets and execute their malicious campaigns.
The operation starts with phishing sites that pose as popular apps off-limits in the Russian servers due to nationwide restrictions. Some of the applications used by the attackers are famous entities, such as ExpressVPN, WeChat, and Skype.
While appearing legitimate at first glance, these fake websites hide a malicious payload. Most apps can deliver the Remote Management System (RMS), a legitimate remote admin tool to acquire initial access to users’ systems.
Once the attackers breach the initial defences, they launch various malware strains, each containing a specific task to compromise victim devices. One of the confirmed abilities of these malware strains is stealing sensitive data, posing a significant threat to the privacy and security of the victims.
These banned apps in Russia are allegedly commandeered by Russian actors, too.
There is a strong chance that Russian threat actors are the operators of this phishing campaign that uses banned apps since the Russian language is present in the malware binary.
Some researchers speculate that TA505 could be behind this campaign since they have previously utilised the RMS tool. The version of RMS employed in this campaign could provide its operators with various capabilities, such as establishing remote connections, recording computer screens, and extracting victims’ system information.
One concern in this campaign is that numerous threat actors have adopted legitimate remote-control tools. These tools commonly allow cybercriminals to camouflage seamlessly with legitimate network traffic, making detection and threat analysis of malicious activities more challenging.
Therefore, organisations should implement app whitelisting to restrict the execution of unknown or unapproved applications and protect their systems against these attacks. Furthermore, experts urge users to regularly review the list of services operating on systems since it could help them spot potential threats.
Russian firms should set up alerts for unusual or suspicious traffic patterns to identify authorised communication of the attackers with its command-and-control (C2) server.
