Two groups have been found to be launching phishing campaigns against Russian Financial institutions. In one of the campaigns, which has been tied to the well-known group Silence, emails are spoofed from the Central Bank of Russia. The spoofed emails contain a .zip file which claims to contain the “standardization of the format of CBR’s electronic communications,” but was actually the downloader for the Silence Trojan which plagued Russian financial institutions last year. The format of the emails sent by Silence were significantly close to those sent by the Central Bank of Russia, which suggests that they may have had access to legitimate emails. While the emails were convincingly spoofed, they did not actually pass DomainKeys Identification Mail (DKIM) validation.
The second campaign was tied to a group named MoneyTaker. In this instance, the spoofed emails appeared to be coming from Russia’s FinCERT, or Financial Sector Computer Emergency Response Team. Those emails contained an attachment which triggered a download of the Meterpreter stager. The link to MoneyTaker was made after it was discovered that the attack was tied back to the same server infrastructure that MoneyTaker had used in previous attacks.