Undercover attack: nearly 85% of phishing emails are disguised as financial and government documents
Specifically, 79% of phishing emails are masked as invoices, payment orders, and other financial documents, 8% as contracts and agreements, аnd 5% as resumes. Another 4% pose as messages from regulators.
Phishing emails sent on behalf of government organizations are often convincing. They skillfully mimic the language of lawmaking, cite appropriate documents, and contain links to the official websites. This helps cybercriminals lull the users into a false sense of security. Adversaries can also employ uncommon malware that is hard to detect with standard security tools. This heightens the chances of attackers to penetrate the infrastructure unnoticed, achieve persistence, and cause serious damage.
Bloody Wolf’s emails contain a PDF attachment that looks like a genuine non‑compliance notice. In addition to the links to malicious files, the document has download links for the Java interpreter installation guide (the program is required for the malware to function). One of such links leads to the official Kazakhstan government website that encourages visitors to install Java for the correct operation of the e‑government portal.
The attackers employ STRRAT, a commercial malware also known as Strigoi Master. It enables them to remotely execute commands on compromised computers, manage files and browsers, intercept keystrokes, etc. While the malware capabilities are not much different from similar RATs, the use of less common file types makes it harder to detect.
Bloody Wolf is not the first group to attack CIS companies with phishing emails disguised as messages from government agencies. Similar schemes were used by Scaly Wolf against manufacturing and logistics enterprises, by Mysterious Werewolf against defense agencies, and by Sticky Werewolf against public organizations in Russia and Belarus.
Attacks similar to those by Bloody Wolf are not only critical to detect but also to neutralize before they affect the infrastructure. Endpoint protection solutions such as BI.ZONE EDR enable early detection of attacks and immediate incident response, either automated or manual. Meanwhile, companies can ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats with threat intelligence portals, such as BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools.