Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a series of defeats during the aggression against Ukraine.

And we also note that Kaspersky Lab may well be connected with the Russian intelligence, therefore we do not recommend treating information from this company with full confidence, and we also do not recommend using the company’s products.

Let me remind you that we wrote that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp, and also that State Department Offers $1 million for Info on Russian Hackers.

Researchers write that in the first working week of October they discovered the distribution of malicious emails. These messages said that due to the refuse to receive summons for the conscription, the person was called to urgently appear at the appointed place and time. More detailed information is allegedly indicated in the agenda in PDF format, which must be downloaded from the link.

The letter is carefully prepared and looks believable: it contains references to the articles of the Criminal Code of the Russian Federation, the heraldry and style of the relevant department. In the text, the perpetrators threaten the victims with possible fines and criminal liability.

The link to the fake summons leads to an archive with an executable script with the WSF extension. If you open the file, it will fake download and display in the browser a PDF document that mimics the scanned agenda, but in parallel will create the AnalysisLinkManager.exe file in the temporary folder and run it.

It is noted that the malware and techniques used have many similarities with the tools of the XDSpy hack group. In particular, the source code of the malicious WSF script and the launch methods, as well as partially the names of the files, coincide with the versions of previous years.

The goals of XDSpy grouping are espionage, theft of documents and other files, as well as data for accessing corporate mailboxes.

We also recall that the best way to survive for Russian soldiers and conscripts who have received a real summons and got into the territory of Ukraine is to surrender to the Ukrainian armed forces.

The post Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army appeared first on Gridinsoft Blog.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that Shuckworm hackers attack Ukrainian organizations with a new variant of Pteredo backdoor.

This malicious campaign uses a decoy website to lure the user to a fake news article with unreleased information about the situation in Ukraine. The site contains a malicious document that installs a RAT with the ability to remotely execute commands and file operations. The campaign was exposed by Malwarebytes threat analysts who provided all the details and signs of compromise in their report.

The cybercriminal registered a domain for the collaboration-bw[.]de phishing site after the real domain expired and cloned the look and feel of the real site.

A site visitor can find a malicious download called “2022-Q2-Bedrohungslage-Ukraine” with information about the situation in Ukraine.

According to the text, the document is constantly updated with new information and the user is strongly advised to download a fresh copy every day. The downloaded ZIP archive contains a CHM file that consists of several compiled HTML files. A fake error message is thrown when opening the file.

At this time, in the background, the file runs PowerShell and Base64 deobfuscator, which leads to the extraction and execution of malicious code from a fake site.

As a result, the script downloads two files to the victim’s computer: a RAT in the form of a .txt file and a .cmd file that helps execute malicious code through PowerShell.

The PowerShell RAT hides in Status.txt and begins its malicious operation by collecting basic system information and assigning a unique client ID. The stolen information is then exfiltrated into the German domain kleinm[.]de. To bypass Windows AMSI (Anti-malware Scan Interface), RAT uses an AES encrypted bypass function that will be decrypted immediately using a generated key.

The main features of the RAT are the following:

1. Download files from C2 server (Command and Control, C&C);
2. Uploading files to C2 server;
3. Loading and executing a PowerShell script;
4. Execution of certain commands.

Malwarebytes does not provide specific examples of the use of RAT in practice, so the goals of the campaign remain unknown.

The user needs to be careful when downloading files from the Internet, as even well-known and previously trusted websites may have quietly changed owners. When it comes to news sites, the offer to download material in document format can be seen as a potential threat.

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

The announcement states that the reward is intended for anyone who can provide information to help identify and locate any of the people who, acting under command or on behalf of foreign nation-states, participated in attacks on objects of the US critical infrastructure.

The notification specifies that the wanted people are the members of a hacker group known as Sandworm Team, Telebots, Iron Viking, and Voodoo Bear. DC ties the named groups with the infection of computers in the US and other countries with the malware known as NotPetya on June 17, 2017.

Earlier, the FBI has made statements about the hackers’ increased attention to American companies from the start of the Russian invasion of Ukraine. According to information from the Bureau, presumed Russian hackers scanned the networks of five American energy companies and at least 18 US financial and defense-related companies.

Although the US authorities don’t have any direct evidence of Russian threat actors committing an attack on the US, US President Joe Biden said on March 18 that Russia would most likely use its cyber warfare tools, but it was still exploring an attack.

In the context of the Russian invasion of Ukraine, the United States’ war on ransomware has gained features of the international cyber-war. The US has decisively joined forces with European law enforcement to seize servers of Hydra in Germany and arrest the RaidForums administrator Diogo Santos Coelho in Britain. Hydra, the Russian-language darknet black market, and RaidForums, one of the world’s largest hackers’ forum, stopped working.

RELATED: CISA and several other US agencies has made a joint warning about the nation-state threat actors jeopardizing American energy industry using PIPEDREAM malware.

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

By the way, let me remind you that we reported that hacker groups split up: some of them support Russia, others Ukraine.

Back in early March, Trend Micro analysts wrote about RuRansom, who told users and companies about the new anti-Russian viper. According to the company, the malware appeared on February 26 and was created as a destructive software, specifically to destroy the backups and data of the victims.

As VMware experts, who have prepared their own analysis, now say, the viper is written in .NET and spreads like a worm and copies itself as a file with a double doc.exe extension to all removable drives and connected network resources.

After being launched on the victim machine, the malware immediately calls the IsRussia() function, checking the public IP address of the system using a well-known service located at https://api[.]ipify[.]org. RuRansom then uses the IP address to determine the geographic location of the machine using a known geolocation service using the URL format https://ip-api[.]com/#[public ip].

Note: And also, for example, we reported that leaked Conti ransomware source codes were used to attack Russian authorities.

If the target is not in Russia, the malware displays a message on the screen: “Only Russian users can run the program” and stops execution.

If the process is not interrupted, the malware gains administrator privileges using cmd.exe /c powershell start-process -verb runas and proceeds to encrypt data. Encryption applies to all extensions except for .bak files, which are removed. The files are encrypted using the AES-CBC algorithm with a hard-coded salt and a randomly generated base64-length key (“FullScaleCyberInvasion + ” + MachineName).

At the same time, the note left by the malware author in the code and file “Full-scale_cyber-invasion.txt” says that he does not need a ransom, and he wants to harm Russia by avenging the “special military operation” in Ukraine.

The post RuRansom Malware Destroys Data in Russian Systems appeared first on Gridinsoft Blog.

Bleeping Computer says that there has been a serious split in the hacker community.

For example, the administrator of the database and trading platform RaidForums openly stated that he was imposing his own sanctions and blocking access for users from Russia. He made his position clear, saying that he opposes the Kremlin’s actions.

Another RaidForums participant posted an even harsher message as a warning to the “Russians”. He also posted on the forum a database with e-mail addresses and hashed passwords and the fsb.ru domain. Although the authenticity of this information has not yet been verified, the same user previously hosted similar databases for US .mil domains.

Let me remind you that we also said that Anonymous hackers declared war on the Russian government.

At the same time, extortionist groups also took up the opposite sides of the conflict. For example, members of one of the most aggressive hacker groups, Conti, declared “the full support of the Russian government” and threatened to retaliate with cyberattacks against anyone who attacks Russia, promising to use all their resources “to strike back at the enemy’s critical infrastructures.”

A little later, the hackers changed the statement, noting that in doing so they “do not ally with any government, and condemn the ongoing war”.

Another far less well-known hack group, CoomingProject, has also said it will support the Russian government if cyberattacks are directed against the country.

Interesting statistics about the “political position” of various hacker groups are also collected by journalists from The Record. According to them, two more groups have publicly declared their position.

UNC1151, allegedly based in Minsk, supports Russia. This hack group is considered to be Belarusian “government hackers” and is allegedly already working on hacking the emails of Ukrainian military personnel.

The Red Bandits also took the side of Russia. Back on February 22, the group announced on Twitter:

We also said that the FBI and NSA release a statement about attacks by Russian hackers.

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

Shortly thereafter, the group claimed responsibility for taking down a number of government websites, the RT website, and the Russian Ministry of Defense.

It should be noted that yesterday there were indeed problems with access to kremlin.ru, as well as other government resources and banking sites, and RT representatives confirmed that they were under heavy DDoS attacks.

Currently, all of the listed sites are available, and the National Coordination Center for Computer Incidents (NCCC) warned of the threat of “an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure.”

The Record, which also records the escalation of cyberattacks in linkage with the outbreak of a military conflict, noted that the Russian government seems to have taken protective measures. Thus, government sites, including the exclusively military domain mil.ru, have become inaccessible to foreign visitors – resources limit traffic from sources outside of Russia.

Actually, this means that the servers are now configured not to show the content of the site to people trying to access it from another country. Instead, visitors from blocked areas see a “418 I’m a teapot” error.

This error originated as a joke in the late 90s and is not part of any official standard. Usually, these errors are used as a kind of “inside joke” among network administrators to block incoming traffic. In particular, they are used in response to DDoS attacks and attempts to parse sites or APIs to inform attackers that their activities have been detected and actively blocked.

However, soon a merged database of the website of the Russian Ministry of Defence appeared on the network – mil.ru from Zer0Day Lab. Anonymous claimed responsibility for the hack. Please, decide for yourself how successful the attacks against the Russian government are and how ethical it is to leak this data into the network.

Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by Russian hackers, and that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Anonymous hackers declared war on the Russian government appeared first on Gridinsoft Blog.