Undercover attack: nearly 85% of phishing emails are disguised as financial and government documents

Our research shows that 68% of attacks on companies in Russia and other CIS countries last year began with phishing emails. In the first six months of 2024, this share reached 76%

July 31, 2024

Specifically, 79% of phishing emails are masked as invoices, payment orders, and other financial documents, 8% as contracts and agreements, аnd 5% as resumes. Another 4% pose as messages from regulators.

Phishing emails sent on behalf of government organizations are often convincing. They skillfully mimic the language of lawmaking, cite appropriate documents, and contain links to the official websites. This helps cybercriminals lull the users into a false sense of security. Adversaries can also employ uncommon malware that is hard to detect with standard security tools. This heightens the chances of attackers to penetrate the infrastructure unnoticed, achieve persistence, and cause serious damage.

These trends are perfectly illustrated by a recent series of attacks on organizations in Kazakhstan. The Bloody Wolf group not only sends very plausible phishing emails on behalf of regulators but also hosts its malware on a domain imitating the website of a Kazakhstani government agency. Instead of the anticipated official document, the victim downloads a malicious JAR file from the website. Such files are rarely used by attackers and thereby allow them to successfully bypass some defenses

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

Bloody Wolf’s emails contain a PDF attachment that looks like a genuine non‑compliance notice. In addition to the links to malicious files, the document has download links for the Java interpreter installation guide (the program is required for the malware to function). One of such links leads to the official Kazakhstan government website that encourages visitors to install Java for the correct operation of the e‑government portal.

The attackers employ STRRAT, a commercial malware also known as Strigoi Master. It enables them to remotely execute commands on compromised computers, manage files and browsers, intercept keystrokes, etc. While the malware capabilities are not much different from similar RATs, the use of less common file types makes it harder to detect.

Bloody Wolf is not the first group to attack CIS companies with phishing emails disguised as messages from government agencies. Similar schemes were used by Scaly Wolf against manufacturing and logistics enterprises, by Mysterious Werewolf against defense agencies, and by Sticky Werewolf against public organizations in Russia and Belarus.

Attacks similar to those by Bloody Wolf are not only critical to detect but also to neutralize before they affect the infrastructure. Endpoint protection solutions such as BI.ZONE EDR enable early detection of attacks and immediate incident response, either automated or manual. Meanwhile, companies can ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats with threat intelligence portals, such as BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools.