Hackers are using Windows Security Updates as bait for phishing emails.
Russian government agencies have fallen prey to a series of hacks through phishing emails. The Russian government entities have allowed themselves to become victims of these unsuspicious and legitimate-looking emails that are disguised as Windows security updates.
The government employees were lured into installing the update without knowing that the downloaded installation was a remote access malware.
The cyberattacks from malicious actors are stated to be from China, a previously undetected APT (advanced persistent threat) group. This is also the same group that is believed to be responsible for carrying out the four different spear-phishing campaigns.
Windows Security Updates in Phishing Emails
The Windows Security Updates in phishing emails have been reported to be taking aim at various government agencies and organizations within the Russian Federation. This is widely believed since the phishing campaigns started at the same time during the political turmoil of Russia and Ukraine. The cyberattacks started in February and lasted until April 2022.
According to Bleeping Computer, all four phishing campaigns shared the goal of infecting devices with a custom remote access trojan (RAT), which is suspected of aiding espionage operations during that period of intense conflict.
Just a few days after Russia invaded Ukraine, the first of the four campaigns that are attributed to this new APT began in February 2022. At that time, the RAT was distributed under the name interactive map UA.exe.
The APT had prepared more sophisticated and well-thought-out plans and campaigns to lure targets, convincing them of the legitimacy of the phishing emails during the second cyberattack. malicious hackers used the tar.gz archive that was supposed to be a fix for the Log4Shell vulnerability and that had been sent to them by the Russian Federation's Ministry of Digital Development, Telecommunications, and Mass Communications to carry out a successful breach.
In the third wave of phishing campaigns, the malicious actors impersonate Rostec, a defense conglomerate that is owned by the Russian state. The actors behind the campaign used newly registered domains such as Rostec.digital and fake Facebook accounts to spread malware while making it appear as though it originated from a known entity.
Lastly, in the last wave of attacks in April 2022, Chinese hackers shifted their focus to a macro-infected Word document that contained a fake job advertisement placed by Saudi Aramco, a major oil and natural gas company.
Candidates who were interested in filling the position of "Strategy and Growth Analyst" were targeted by the document, which used a technique called "remote template injection" to retrieve the malicious template and drop the VBS script on them.
The Hackers Behind the Phishing Attacks
It is abundantly clear that the threat actor intends to cover its distinctive tracks by impersonating other hackers and making use of the malware tools that they have developed.
Some parts of the infrastructure, for example, used to be linked to the Sakula RAT, which was used by the Chinese Deep Panda APT.
The fact that the new APT used the same macro builder as TrickBot and BazarLoader for the Saudi Aramco wave is another intriguing discovery that researchers have made. As previously reported by Bleeping Computer, the Chinese hackers have been caught behind attacking Russian government agencies.
Some security analysts believe that the Chinese threat group is behind these phishing emails. However, due to a lack of evidence, others believe they are not.