Dozens of banks in Russia were targeted this week by hackers pretending to be the security arm of the Russian Central Bank, FinCERT. While Phishing attacks against banks in Russia are nothing new, one posing as the center that's supposed to defend banks against attacks like this is worth looking at.
On March 14, shady individuals registered fincert.net, a false URL that - at a glance - would lead one to believe the domain is owned by FinCERT. However, fincert.net isn't their domain; it's actually cbr.ru.
FinCERT is a department of the Russian Central Bank. It was created after a 2014 order by the Russian Security Council called for the creation of a center that would respond to cyber-based fraud and attacks. Since going online, FinCERT has become a major player in Russia as far as banking and information security are concerned.
At noon on March 15, the attackers launched their email campaign form info [at] fincert.net. They selected this time of day for good reason, because the lunch rush could give them a better chance at success.
According to Kaspersky's Alexander Gostev, who blogged about the incident on the company's Russian portal, the attackers were particular about their messages and to whom they were addressed. This suggests the attackers were using a targeted list of addresses and names, as none of the recipients were discovered via public access. The messages were formal, properly addressed and titled.
(An English version of Gostev's post was not available at the time this story went to print.)
A day later, on the morning of March 16, the attackers sent additional messages to what is suspected to be several hundred Russian banks. But there was a small mistake; they made grammatical errors pertaining to the word compromise.
The attachment on the message got it right. The Word document was formatted to look like a legitimate FinCERT bulletin – suggesting that the attackers took their time to learn proper protocol and standards. A remarkable feat, considering FinCERT notifications are usually not for public consumption.
The document used a macro to download a file from a remote server. The file itself was signed just hours prior to the start of the attacks with a valid code certificate from a company in Moscow. The certificate was issued by Comodo. If the files are executed, a legitimate remote administration tool (LiteManager 3.4) is installed.
The Kaspersky post didn't state if there were any confirmed victims.
Again, the point isn't that the attackers used Spear Phishing as a mode of attack, that's rather common. But the level of effort that went into this campaign is unusual.
The attackers registered a solid domain, did their homework on who to target and when, researched the proper formatting of FinCERT notifications, and made sure their files were signed by legitimate certificates. Even the backdoor was a legal piece of software.
The only fallback in this scheme was the usage of macros and the failure to check for grammatical errors.
But, considering the high points on all the other aspects of this campaign, human nature (and the lunch rush) will likely overrule any error checking, which increases the odds of someone clicking and installing the remote access tools.