Two Different Groups Targeting Russian Banks in Phishing Campaigns - Binary Defense

Threat Watch

Threat Watch Two Different Groups Targeting Russian Banks in Phishing Campaigns

Two Different Groups Targeting Russian Banks in Phishing Campaigns

Two groups have been found to be launching phishing campaigns against Russian Financial institutions. In one of the campaigns, which has been tied to the well-known group Silence, emails are spoofed from the Central Bank of Russia. The spoofed emails contain a .zip file which claims to contain the “standardization of the format of CBR’s electronic communications,” but was actually the downloader for the Silence Trojan which plagued Russian financial institutions last year. The format of the emails sent by Silence were significantly close to those sent by the Central Bank of Russia, which suggests that they may have had access to legitimate emails. While the emails were convincingly spoofed, they did not actually pass DomainKeys Identification Mail (DKIM) validation.

The second campaign was tied to a group named MoneyTaker. In this instance, the spoofed emails appeared to be coming from Russia’s FinCERT, or Financial Sector Computer Emergency Response Team. Those emails contained an attachment which triggered a download of the Meterpreter stager. The link to MoneyTaker was made after it was discovered that the attack was tied back to the same server infrastructure that MoneyTaker had used in previous attacks.

ANALYST NOTES

Both groups pose different risks to the institutions that they target. MoneyTaker is a much more sophisticated group which utilizes a wide range of tools to carry out their attacks against law firms, banks, and software vendors which service the financial industry. On the other side though, Silence tends to utilize the same tools and attack types in each of their attacks. They still manage a high success rate because of their close attention to detail in their phishing emails, making them more likely to appear legitimate to their victims.