A cybercriminal phishing operation designed to infect victims with a malicious backdoor was recently discovered using command-and-control domains that intentionally spoofed the real-life domains of various Russian critical infrastructure firms.
The campaign’s focus on critical infrastructure at first gave it the appearance of an APT-sponsored cyberespionage operation, but upon closer inspection, the motivation appears to actually be financial in nature, according to researchers from Cylance, in a blog post published today.
“The effort required to set up those domains seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure,” explains the blog post. And yet, this seems to be the case, as the targeted companies were largely the same as those listed in a 2017 Forbes article written by Group-IB CEO Ilya Sachov, who detailed a criminal scheme in which actors used lookalike C2 domains for a fraud and credentials-harvesting operation.
Cylance’s report identifies Russian oil company Rosneft as among the most prominent companies whose domains were spoofed for command-and-control purposes, along with more than two dozen oil, gas, chemical, agricultural and other critical infrastructure organizations, as well as Russian financial exchanges. Examples included Russian holding company HCSDS (aka Siberian Business Union), and fertilizer companies Mendeleevkazot and EuroChem.
Cylance discovered the campaign in early 2018, but found that the perpetrators behind it started up their operations three years earlier, initially targeting Steam users and the gaming community before shifting strategies. Their choice of malware throughout this time period was a variant of the RedControle backdoor.
According to Cylance, RedControle can upload and download files, manipulate files and folders, compress and decompress files using ZLIB, communicate drive and host information (including IP addresses, hostname, attached drives, keystrokes and clipboard data), elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes. Written in Delphi, RedControle communicates with its C2 infrastructure using both HTTP via TCP port 80 and SSL via the Delphi Indy library.
Cylance said that the phishing campaign used Microsoft Office documents containing malicious macros in order to infect victims with a dropper that ultimately produces RedControle, along with a Sticky Keys backdoor — all while displaying an image of a holiday gift. The Sticky Keys backdoor enables Remote Desktop Protocol on the infected machine and performs a sticky keys hijack technique, the company reported.