14 DAY TRIAL // A cybercrime group running a phishing campaign designed to deliver a RedControle backdoor successfully spoofed the domains of critical Russian infrastructure to camouflage itself as a nation-state sponsored APT group.
The cybercriminals used this novel type of concealment technique to throw off security researchers looking into their operations off the path and send them looking for state-sponsored threat actors running a lot more complicated "espionage, sabotage, coercion, and information operations."
Cylance first discovered the cybercriminal group's malware toolkit back in July 2017, in the form of Word documents with embedded malicious macros targeting Russian speakers.
They were found again during early 2018 and allowed Cylance to discover that the command-and-control (C2) servers used by this malware campaign were designed to mimic the domains of Russian industrial companies from a long list of critical infrastructure targets.
Moreover, the campaign specifically targeted Rosneft and its subsidiaries, but it also "created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges."
Second backdoor provided remote control of compromised machines
While further digging into the operation behavior, Cylance also discovered that it was active for more than three years with the malware used throughout this time suffering minimal changes.
The security researchers discovered that the malicious Word documents used in the attacks dropped the RedControle backdoor downloaded from an FTP server.
Once the backdoor was launched on the compromised systems, it sent IP address, hostname, and attached drives information to its masters, as well as clipboard data, keystrokes, and window names in clear text via HTTP and in near-real time.
Furthermore, the RedControle payload also "had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system."
To top things off, the crooks also dropped a Sticky Keys backdoor on to the infected machines, designed to allow its masters to control them remotely.