BI.ZONE discovers new phishing campaign distributing White Snake stealer to Russian companies

The White Snake stealer—malware that steals passwords and other data from infected devices—is distributed under the guise of legitimate notifications from the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)

August 8, 2023

Criminals send an archive with several files to corporate email addresses. The first document contains the allegedly official notification from the state authority. It reads that selective activity monitoring has revealed visits to prohibited internet resources (i.e., the recipient of the letter has violated Law No. FZ‑255 “On the control of activities of persons which are under foreign influence”).

In the same notification, the attackers demand to immediately check the attached materials and give an explanation within two working days. Otherwise, they threaten to involve administrative and law enforcement measures. This way, the victim is prompted to quickly open the second file, which is the White Snake stealer.

The White Snake malware is actively advertised on dark forums as a tool for targeted attacks. It allows attackers to retrieve stored passwords, copy files, record keystrokes, microphone, webcam, and gain remote access to compromised devices and corporate systems. As criminals tend to resell the collected information over time, it may take a while before companies size up the total damage done.

Threat actors can also use White Snake to download and run any malicious tool on the side. A monthly subscription to the stealer is just $140 while unlimited access is available for $1,950.

The dark segment of the Internet offers increasingly high‑quality tools for executing malicious campaigns. They enable attackers to bypass conventional defenses and provide them with all the means they need to achieve their goals. Reduced costs and lower skill requirements means that the number of targeted attacks will continue to increase. To defend against such campaigns, it is necessary to develop processes that prevent, detect, and respond to cyber threats.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

Phishing emails are one of the main ways to gain initial access in a targeted attack. To protect against this threat, we recommend using specialized solutions that block spam and malicious emails. One such solution is BI.ZONE CESP. If your company has already suffered a cyberattack, our team of experts can help you quickly respond to the incident and investigate it.

We cover the attack in more detail in the article.

@media only screen and (min-width: 320px) and (max-width: 390px) { .articleDetail .quote__authorName, .articleDetail .quote__text, .eventProgramm__date, .eventProgramm__title, .fs-h5, .h5, .headBlock__text, .headSection--news .headSection__text, .headSection__text, .newsDetail .quote__authorName, .newsDetail .quote__text, .participants__title, .popup__title, .sectionFullImage__text, .stepList .button, .stepList .button span, .stepList__title, .toggleBox .iconLine__title, .toggleBox__title, div.card__title, div.cFiltered__length, div.productDetail__subtitle, div.review__authorName, div.timer__title, div.toggleBox .iconLine__title, div.toggleBox__title, div.toggleEvent__bannerTitle, div.v-banner__title, h5 { font-size: 18px; line-height: 20px; } } @media only screen and (min-width: 320px) and (max-width: 390px) { .fs-h2, .h2, .headBlock h1, .headSection--1 h1, .headSection--2 h1, .headSection--4 h1, .headSection--news h1, .resultForm h1, .sectionEvents__title, .sectionExp__title, .sectionFullImage__title, .sectionProduct__title, h2 { font-size: 28px; line-height: 32px; } }