Critical Infrastructure Security, Threat Management, Malware, Phishing

Cybercriminal phishing campaign spoofs Russian critical infrastructure domains

A cybercriminal phishing operation designed to infect victims with a malicious backdoor was recently discovered using command-and-control domains that intentionally spoofed the real-life domains of various Russian critical infrastructure firms.

The campaign's focus on critical infrastructure at first gave it the appearance of an APT-sponsored cyberespionage operation, but upon closer inspection, the motivation appears to actually be financial in nature, according to researchers from Cylance, in a blog post published today.

"The effort required to set up those domains seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure," explains the blog post. And yet, this seems to be the case, as the targeted companies were largely the same as those listed in a 2017 Forbes article written by Group-IB CEO Ilya Sachov, who detailed a criminal scheme in which actors used lookalike C2 domains for a fraud and credentials-harvesting operation.

Cylance's report identifies Russian oil company Rosneft as among the most prominent companies whose domains were spoofed for command-and-control purposes, along with more than two dozen oil, gas, chemical, agricultural and other critical infrastructure organizations, as well as Russian financial exchanges. Examples included Russian holding company HCSDS (aka Siberian Business Union), and fertilizer companies Mendeleevkazot and EuroChem.

Cylance discovered the campaign in early 2018, but found that the perpetrators behind it started up their operations three years earlier, initially targeting Steam users and the gaming community before shifting strategies. Their choice of malware throughout this time period was a variant of the RedControle backdoor.

According to Cylance, RedControle can upload and download files, manipulate files and folders, compress and decompress files using ZLIB, communicate drive and host information (including IP addresses, hostname, attached drives, keystrokes and clipboard data), elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes. Written in Delphi, RedControle communicates with its C2 infrastructure using both HTTP via TCP port 80 and SSL via the Delphi Indy library.

Cylance said that the phishing campaign used Microsoft Office documents containing malicious macros in order to infect victims with a dropper that ultimately produces RedControle, along with a Sticky Keys backdoor -- all while displaying an image of a holiday gift. The Sticky Keys backdoor enables Remote Desktop Protocol on the infected machine and performs a sticky keys hijack technique, the company reported.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.