A Russian-speaking threat actor has been targeting hundreds of industrial enterprises for more than two years, Kaspersky’s security researchers report.
Focused on companies in Russia, the ongoing attacks are highly targeted, leveraging phishing emails for malware deployment. In some cases, legitimate documents that were stolen in previous attacks are leveraged for social engineering.
Another characteristic of these attacks is the use of remote administration utilities, including Remote Manipulator System/Remote Utilities (RMS) and TeamViewer. Malware is employed to hide the user interface of these programs, to avoid attracting attention.
The campaign was first detailed in 2018, when Kaspersky said that more than 400 organizations had been hit. Now, the security researchers reveal that the attackers have
updated their techniques and that the number of victim organizations has increased.
Specifically, the adversary switched to using the web interface of RMS’s cloud infrastructure as a notification channel for getting the infected machine’s TeamViewer ID, instead of the malware command and control servers. In an ongoing attack, spyware and Mimikatz have been employed for credential theft.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
