How did the criminals manage to hide SapphireStealer in legitimate CEC documents?
Against the background of the recent presidential elections in the Russian Federation, researchers of the company F. A. C. C. T. recorded a fraudulent operation that distributes a data thief disguised as official documents of the CEC, including ballots.
The discovery concerns a malicious program called SapphireStealer, which targets Windows and can steal credentials from web browsers and the Telegram desktop client.
Especially disturbing is the fact that fraudsters used a fake website that imitates the official resource of the Russian Government to distribute their malware.
According to researchers, SapphireStealer began its distribution even before the election. The malware is written in C# and is capable of collecting user data, taking screenshots, and sending stolen information to attackers via Telegram or email.
It is noteworthy that the source code of this infostealer first appeared in the public domain back in March 2022, which indicates its wide availability for cybercriminals.
The attack considered by experts using SapphireStealer was carried out through an executable file called "On providing information about upcoming events". выборах.ехе". This file not only activated the styler, but also loaded additional malicious load from the attackers ' servers.
To attract the attention of victims and lull their vigilance, a legitimate PDF document consisting of several pages directly related to the upcoming (at that time) elections was opened simultaneously with the launch of the malicious program.
Analyzing the malicious operation, experts noted the use of several fake domains by fraudsters at once: "govermentu[.]ru" and " supgov[.] en", but the second one, apparently, was never used in real attacks.
In the full report, F. A. C. C. T. specialists provided all the technical details of the malware, including indicators of compromise and characteristics of the decoy file. Among other things, the experts stressed the importance of awareness of such threats and called for vigilance when handling suspicious files and links.
Despite the fact that the presidential election has already been held, on September 8 this year, Russian citizens are waiting for a single voting day. It is possible that the attackers responsible for this attack will want to repeat their malicious operation on the eve of this day.
Against the background of the recent presidential elections in the Russian Federation, researchers of the company F. A. C. C. T. recorded a fraudulent operation that distributes a data thief disguised as official documents of the CEC, including ballots.
The discovery concerns a malicious program called SapphireStealer, which targets Windows and can steal credentials from web browsers and the Telegram desktop client.
Especially disturbing is the fact that fraudsters used a fake website that imitates the official resource of the Russian Government to distribute their malware.
According to researchers, SapphireStealer began its distribution even before the election. The malware is written in C# and is capable of collecting user data, taking screenshots, and sending stolen information to attackers via Telegram or email.
It is noteworthy that the source code of this infostealer first appeared in the public domain back in March 2022, which indicates its wide availability for cybercriminals.
The attack considered by experts using SapphireStealer was carried out through an executable file called "On providing information about upcoming events". выборах.ехе". This file not only activated the styler, but also loaded additional malicious load from the attackers ' servers.
To attract the attention of victims and lull their vigilance, a legitimate PDF document consisting of several pages directly related to the upcoming (at that time) elections was opened simultaneously with the launch of the malicious program.
Analyzing the malicious operation, experts noted the use of several fake domains by fraudsters at once: "govermentu[.]ru" and " supgov[.] en", but the second one, apparently, was never used in real attacks.
In the full report, F. A. C. C. T. specialists provided all the technical details of the malware, including indicators of compromise and characteristics of the decoy file. Among other things, the experts stressed the importance of awareness of such threats and called for vigilance when handling suspicious files and links.
Despite the fact that the presidential election has already been held, on September 8 this year, Russian citizens are waiting for a single voting day. It is possible that the attackers responsible for this attack will want to repeat their malicious operation on the eve of this day.
