Rivers Of Phish – New Phishing Campaign Attacks Russia Enemies Globally


In collaboration with Access Now and other civil society organizations, Citizen Lab exposed a sophisticated attack dubbed as “Rivers of Phishing,” a new phishing campaign that attacks Russia’s enemies globally.

The fact-finding efforts revealed that their coordinated spear-phishing targeted particular individuals across multiple countries and sectors of civil society.

EHA

The threat actor adopted advanced digital targeting techniques to compromise the security of the activists, journalists, and human rights defenders.

Easily analyze emerging malware with ANY.RUN interactive online sandbox - Try 14 Days Free Trial

Technical Analysis

COLDRIVER, also known as Star Blizzard and TA446, is a Russian FSB-supported group responsible for a well-designed phishing campaign called “River of Phish” which targets opposition figures, journalists, NGOs, academicians, and policymakers interested in Russia, Ukraine, and Belarus.

Attackers use highly personalized emails pretending to be familiar contacts as bait, and malware is often encrypted in the form of PDF files.

These contain links to phishing sites that steal login credentials and bypass two-factor authentication systems. In addition, PDFs usually have similar metadata structures and English author names.

Two River of Phish PDFs and one COLDRIVER PDF (Source – Citizen Lab)

The infrastructure of this campaign relies on Hostinger-registered domains that have JavaScript enabled for target fingerprinting in the first-stage domains.

“If the target clicks on the link, their browser will fetch JavaScript code from the attacker’s server that computes a fingerprint of the target’s system and submits it to the server”

Victims include prominent figures like Polina Machold of Proekt Media and former US Ambassador Steven Pifer. 

The campaign is a demonstration of the changing techniques being used to avoid being seen on the internet, like shifting from Namecheap to Hostinger for domain registration.

Another campaign with similar operations but called COLDWASTREL has been identified as well, this one uses different PDF characteristics and the infrastructure shows a complicated environment to involve Russian cyber espionage activities.

Screenshots from COLDWASTREL PDFs.

This behavior is consistent with wider Russian state objectives and poses a severe danger for victims, especially those on the territory of Russia.

Despite having advanced capabilities, state-sponsored threat actors such as Russia’s FSB depend on personalized phishing since it is cost-effective and has a high success rate.

Such campaigns employ comprehensive intelligence gathering to develop highly believable lures with an interplay where every successful compromise provides information for future attacks.

This persistence reflects the risk-taking position of COLDRIVER through its operations possibly due to state sponsorship.

In many cases, these campaigns focus on civil society in addition to government and industry sectors that are often ignored by cybersecurity reporting.

Due to the complex nature of the Russian Cyber Espionage, different agencies are involved in this sphere like SVR, GRU, and FSB sometimes working together or competing with each other as well as sometimes even collaborating with threat actors.

Apart from phishing, Russian-affiliated actors use various digital hostile tactics against civil society like censorship, stalking campaigns, account hijacking, and advanced social engineering methods.

This multi-dimensional strategy is incredibly dangerous for activists, journalists, and NGOs mainly evictions or those who work on Russian issues, this shows how important it is to understand and protect these vulnerable targets.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Recommendations

Here below we have mentioned all the recommendations:-

  • Use two-factor authentication.
  • Enroll in programs for high-risk users.
  • Do not click any suspicious links received in the email from an unknown sender.
  • Beware of “encrypted” or “protected” PDFs.
  • Always use robust security solutions.
  • Use complex passwords and also make sure to change them often.

Indicators of Compromise

COLDRIVER PDF Hashes

b07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d
0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88
efa2fd8f8808164d6986aedd6c8b45bb83edd70ca4e80d7ff563a3fbc05eab89
c1fa7cd73a14946fc760a54ebd0c853fab24a080cbf6b8460a949f28801e16fc
603221a64f2843674ad968970365f182c228b7219b32ab3777c265804ef67b0a
df9d77f3e608c92ef899e5acd1d65d87ce2fdb9aab63bbf58e63e6fd6c768ac3
384d3027d92c13da55ceef9a375e8887d908fd54013f49167946e1791730ba22
79f93e57ad6be28aae62d14135140289f09f86d3a093551bd234adc0021bb827
00664f72386b256d74176aacbe6d1d6f6dd515dd4b2fcb955f5e0f6f92fa078e



Source link