Companies began to receive phishing emails with malware disguised as notifications from Roskomnadzor

In July, Russian businesses began receiving letters purporting to be from Roskomnadzor, infected with the new White Snake malware, designed to steal user logins and passwords, confidential data, gain access to microphone sound or webcam recordings. The damage from such an attack, depending on the size of the company, can reach hundreds of millions of rubles, experts say. But selling stolen data on shady forums will do much more damage.

In July, attackers began sending phishing emails to companies with malicious software (software) designed to steal passwords and other data, experts from the BI.ZONE cyber intelligence department (ex-Sberbank structure) told Kommersant. Software called White Snake appeared only this year, BI.ZONE specified, it allows you to get saved user passwords, copy files, record key commands, sound from a microphone and video from a webcam, and get other types of access to the device.

One of the ways White Snake was sent was emails to commercial addresses, including those from data leaks, under the guise of Roskomnadzor notifications. The first attachment of the letter contains a notice from the department, which states that “in the course of selective monitoring of activity” it was established that employees visited extremist Internet resources and sites that distribute materials of foreign agents. Roskomnadzor allegedly demands to check the materials attached to the letter and provide an explanation within two working days, threatening administrative and criminal measures. The second file contains a link to malware.

BI.ZONE noted that it was unusual for the attack to use “commercial malware”, that is, sold on shadow forums, and not created by the group for its own purposes. You can buy a subscription to it for $140 per month, get unlimited access for $1.9 thousand. The low price and ease of use lead to “an inevitable increase in the number of targeted attacks,” emphasizes Oleg Skulkin, head of the BI.ZONE cyber intelligence department.

The threat is confirmed by Kaspersky Lab: under various pretexts, the attackers are trying to convince the user to open the archive – starting with threats of multimillion-dollar fines and ending with the “checked by antivirus” mark at the end of the letter.

Roskomnadzor stated on its Telegram channel that the agency “is not engaged in mass mailing of letters to citizens, organizations or authorities.” The service declined to comment further. Previously, the public sector itself was subjected to phishing mailings: in the spring, the XDSpy group attacked the structures of the Ministry of Foreign Affairs by sending malware supposedly from colleagues to gain illegal access to the corporate mail of the ministry (see Kommersant of March 31).

White Snake is able to collect data on an infected computer through popular browsers such as Chrome and FireFox (passwords, downloads), and well-known programs, such as Outlook, Discord, Telegram, etc., as well as from crypto wallets, adds Positive Threat Research Specialist Technologies (PT ESC) Alexander Badaev: “If one employee is infected with White Snake, attackers can gain access to the devices of others through the collected credentials.”

The most tangible attacks affect companies in the financial sector, including owners of digital wallets, and scientific and technical organizations, whose developments and intellectual property are of particular value, according to Informzashita.

Depending on the type of company and the goals of the criminals, in each specific case, the damage can range from “several million to hundreds of millions of rubles,” says Aleksey Kuznetsov, head of security analysis at the Future Crew MTS RED innovation center. “Most often, these viruses steal account data, and since 70% of companies do not have two-factor authentication, attackers are more likely to get a point of presence in the company,” he says. Further, the expert admits, the information can be sold on the dark web or used for long-term espionage.

Tatyana Isakova