Two Kazakhstani Security Firms have discovered malware on systems hosting eGov.kz, the Kazakhstan government web portal that citizens use to conduct business such as file taxes. When visitors to the website attempt to download some documents, the website instead downloads an executable file and prompts the user to run it. If the downloaded file is executed, it installs Razy malware. Razy is reported to target users’ crypto-currency accounts in an attempt to steal funds. The Researchers at T&T (Russian Language) point out the relatively simplistic nature of this attack where the actors used old malware samples with a few changes for logistics and phishing purposes. The researchers assume that the attack is limited to credential harvesting for financial gain.
Attacks such as this are a daily occurrence for many private and Government entities. Many websites are compromised, usually because the website’s Content Management System (CMS) or a plug-in have not been patched, and attackers often host phishing web pages or malware payloads on compromised websites. In this case, the attackers have used a simple technique of delivering an EXE file directly and hoping that visitors to the website won’t notice what type of file they’ve downloaded before opening it. With a plan in place to help raise awareness of the phishing techniques, users have a significantly better chance of spotting and stopping such an attack. That said, threat actors have become increasingly skilled in designing documents, zip files, script files and other delivery mechanisms to trick users into activating payloads. When the inevitable happens and a phishing or malware delivery attempt succeeds, a Security Operations Center (SOC) team with defensive measures in place can alert and take action. Binary Defense offers a SOC, Threat Hunting, and Counter-Intelligence teams to help form a defense-in-depth solution to protect businesses from security threats.