“Attackers use social engineering methods to spread VPO, sending phishing emails with malicious links to victims on behalf of federal executive authorities,” the NCC reports.
When clicking on the links to the victim’s computer, malware modules are loaded that have protection from running in the debugger and virtual environment, collect addresses of cryptocurrency wallets, lists of running processes, network connections, a list of USB devices, information about the operating system.
“The collected data is redirected to resources controlled by the attackers,” the center said.
The NCC reported that phishing emails come, in particular, from e-mail addresses noreply@mvd.msk.ru ; noreply@fsbinfo.ru .
Examples of phishing email headers:
- “Order of the FSB of the Russian Federation “On approval of Requirements for means designed to detect, prevent and eliminate the consequences of computer attacks and respond to computer incidents””.
- “Ensuring the national security of the Russian Federation”.
The NCC recommends taking the following measures to neutralize the threat:
The NCC recommends taking the following measures to neutralize the threat:
- Ensure regular updating of the databases of the anti-virus protection tools used to the current state.
- To assess the risk of HPE infection by analyzing not only attachments in emails, but also the web links contained in them.
- Download and open files only from trusted sources.
- Check on ITS resources and network traffic for the presence of indicators of malicious activity presented in the NCC bulletin.
- Inform employees of the organization about the danger of clicking on links and opening attachments in emails received even from known senders.
