A spearphishing campaign targeted more than 400 industrial companies by sending highly personalized emails disguised as procurement and accounting documents.
The attacks started in the fall of 2017 and in one wave of attacks, cybercriminals targeted nearly 800 company PCs addressing the targeted victim's by their first and last name, according to a Kaspersky Lab blog post.
Threat actors targeted companies in the manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining, and logistics industries.
“The attackers demonstrated a clear interest in targeting industrial companies in Russia,” said Vyacheslav Kopeytsev, a security expert at Kaspersky Lab. “Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services.”
Kopeytsev added that the industrial companies are lucrative targets for cybercriminals across the world.
The cybercriminals were focused on stealing money from their victim's accounts by using legitimate remote administration software such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS).
Attackers also used Babylon RAT, Betabot/Neurevt, AZORult stealer, and Hallaj PRO Rat when they needed to steal additional data in such as logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.
The threat actors also used RemoteUtilities which granted them the abilities to remotely control the system (RDP), transfer files to and from the infected system, control power on the infected system, remotely manage the processes of running application, and execute remote shell commands.
The tools also allowed them to manage hardware, capture screenshots and screen videos, record sound and video from recording devices connected to the infected system, and remotely manage the system registry.
The cybercriminals also used various techniques to mask the infections using legitimate software designed to search for tenders to mask their infections and evade antivirus solutions.
Researchers noted that while the majority of these attacks targeted Russian organizations, it's important to note these techniques could be used to target industrial companies in any country.