Symantec has revealed how six employees at a Russian bank got infected with a trojan through a phishing attack.
Using emails that were made to look like they were from the Central Bank of Russia and offered employment to their recipients, the emails were an attempt to deliver Trojan.Ratopak onto the target's computer.
Symantec says that targeted emails using finely crafted social-engineering tricks have become commonplace, with an increasing number targeted at employees of financial institutions.
The emails linked to the attacker's site which pointed to an archive file. Once extracted, the archive file opened a fake document and downloaded Trojan.Ratopak. Symantec have seen Ratopak signed with stolen certificates to make it appear to have come from a legitimate source.
Symantec said, “Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information… including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools.”
According to Symantec, “The attackers went to some effort to make the emails appear legitimate, even going as far as to register a domain very similar to the genuine Central Bank of Russia website. The URL for the Central Bank of Russia website is 'cbr.ru', while the URL for the attacker-controlled website is 'cbr.com.ru'.”
They went on to explain, “This would indicate that the emails sent out for this campaign appear to have been written by a native Russian speaker, using clean and simple language. This is also backed up by the fact that the attackers would need to speak Russian to make use of the information stolen through Ratopak. There are no obvious errors, except for one. The name in the 'From:' line of the email header differs from the signature at the end of the email. This and the '.com' in the URL are the clearest indicators that this is a fake email.”
Symantec has identified six Russian banks that were targeted in these attacks. A common link between several of the victims was a piece of software created by SBIS, a Russian company that develops, among other things, accounting and payroll applications.
In URLs used by SBIS, its accounting software is referred to as “buh”. The attackers behind these attacks used “buh” in their URLs, knowing that the victims would be using the software, in an attempt to make the links look legitimate. This is why researchers are now calling Trojan.Ratopak “Buhtrap”.
While there is no conclusive evidence of the attacker's goal, the attacks appear to be financially motivated. The specificity of the targets − employees at certain banks using accounting software to send the government tax information − certainly points towards this goal.
Symantec advises caution when receiving unsolicited emails extending job offers or referencing non-existent job applications. Even if an email seems legitimate, the attackers may have gone to serious effort to disguise the fact that it is actually fake.
Users are advised to:
- Not open attachments or click on links in unsolicited email messages
- Ensure their computer is fully patched and up to date
- Keep security software up to date with the latest updates