- Joined
- May 15, 2016
- Messages
- 14,480
- Likes
- 2,645
- Points
- 1,730
In a malicious campaign that lasted from 2018 to 2020, attackers used RMS and TeamViewer.
Kaspersky Lab specialists have disclosed details of a malicious campaign aimed at industrial enterprises, during which cybercriminals use tools for remote access RMS and TeamViewer.
According to LK, the malicious campaign lasted from 2018 and at least until the fall of 2020. However, the experts published a report on the attacks just now, waiting for the RMS software vendor to make changes to the operation of its services.
During the malicious campaign, cybercriminals sent out phishing emails disguised as business correspondence between organizations and containing malware. In particular, the attackers used legitimate documents, such as memos and documents with equipment settings or other information about the technological process, stolen either from the attacked company itself or from its partners. The main goal of cybercriminals is to steal funds from the attacked organization.
In addition to social engineering, attackers use remote administration utilities whose graphical interface is hidden by malware, allowing them to stealthily manage the infected system.
Compared to 2018, attackers have modified their attack methods, and more and more enterprises are exposed to the threat of infection. In the new version of the malware, the channel for notifying about infections of new systems has been changed: instead of the malware control servers, the web interface of the cloud management infrastructure of the RMS remote administration utility is used.
A Russian-speaking group is behind the attacks, attacking industrial enterprises, as well as organizations of the oil and gas, metallurgical and energy industries, logistics and construction companies, etc.
__________________
Kaspersky Lab specialists have disclosed details of a malicious campaign aimed at industrial enterprises, during which cybercriminals use tools for remote access RMS and TeamViewer.
According to LK, the malicious campaign lasted from 2018 and at least until the fall of 2020. However, the experts published a report on the attacks just now, waiting for the RMS software vendor to make changes to the operation of its services.
During the malicious campaign, cybercriminals sent out phishing emails disguised as business correspondence between organizations and containing malware. In particular, the attackers used legitimate documents, such as memos and documents with equipment settings or other information about the technological process, stolen either from the attacked company itself or from its partners. The main goal of cybercriminals is to steal funds from the attacked organization.
In addition to social engineering, attackers use remote administration utilities whose graphical interface is hidden by malware, allowing them to stealthily manage the infected system.
Compared to 2018, attackers have modified their attack methods, and more and more enterprises are exposed to the threat of infection. In the new version of the malware, the channel for notifying about infections of new systems has been changed: instead of the malware control servers, the web interface of the cloud management infrastructure of the RMS remote administration utility is used.
A Russian-speaking group is behind the attacks, attacking industrial enterprises, as well as organizations of the oil and gas, metallurgical and energy industries, logistics and construction companies, etc.
__________________