Two Hacker Groups Carry out Major Phishing Attacks against the Russian Banks

As per a cyber security firm, two major phishing email campaigns have been identified by them that have targeted financial institutions of Russia. The phishing emails are disguised to have come from Russia's financial cyber security authorities and the Central Bank.

As per a report by Group-IB based out in Moscow, numerous Russian banks have received phishing emails which were claimed to have come from the CBR (Central Bank of Russia) on November 15, 2018. The emails that were sent came along with the malicious attachments having a tool that is used by Silence hacker group. Though the attachments in the emails were having an extension of .zip that is actually known to be "the standardization of the format of CBR's electronic communications", however they were the Silence downloader actually.

Group-IB also stated that the format of the phishing emails are very close to the original emails sent by the Central Bank of Russia, which also points to the fact that "the hackers most likely had access to samples of legitimate emails". However, fortunately as the phishing emails could not pass the DomainKeys Identified Mail (DKIM) validation, therefore their effectiveness was little bit stunted.

In another phishing campaign which occurred on October 23, 2018, the hacker group called MoneyTaker also targeted the Russian banks. In this attack, MoneyTaker sent emails through a fake address that presumed to have come from Russia's Financial Sector Computer Emergency Response Team (FinCERT). The phishing emails were also contained with fake attachments pretending to be from Central Bank of Russia, which in this case triggers download for Meterpreter Stager.

Group IB claim that this attack seems to be carried out by MoneyTaker because the attack has used the server infrastructure, and MoneyTaker during its previous other attack have used it.

Group IB's threat intelligence expert and Dynamic Analysis Head of malware department, Rustam Mirkasymov, says that the phishing campaigns many-a-times imitate the CBR, as the Central Bank of Russia is responsible for communicating the regulations to the Russian banks. Thus, the CBR often corresponds with the banks all over the country. Mirkasymov further adds that Silence and MoneyTaker currently are amongst the top most hacker groups targeting financial institutions all around the world.

» SPAMfighter News - 11/28/2018