RATs and stealers are most favored by adversaries attacking Russian business

Remote access trojans (RATs), the type of malware that enables threat actors to run commands on compromised devices remotely, are used in more than half of all attacks on Russian organizations

November 5, 2024

With a 29% share, stealers represent the second largest group of malicious programs employed by adversaries against Russian companies. Such programs are designed to extract authentication data and other sensitive information from infected systems. Rounding out the top three are loaders (16%), which are used for delivering malicious payload and additional adversary tools.

Stealers allow attackers to obtain information about compromised devices, including OS version numbers and hardware specifications, credential and other data from crypto wallets, email clients, browsers and other applications. The authentication material obtained can later be used for more sophisticated targeted attacks against compromised organizations.

This year, the top five most popular stealers so far are FormBook (29% of all attacks against Russian companies), SnakeLogger (23%), Rhadamantys (17%), PureLogs Stealer (11%), and MetaStealer (nearly 10%). The latter is almost identical to the well-known RedLine stealer. Unlike its parent program, MetaStealer has no developer restrictions that could prevent its use against businesses in Russia and other CIS countries.

As the developers of MetaStealer do not prohibit its use against Russian companies, this malware is becoming more popular among adversaries. For example, this stealer is often used by Venture Wolf, the threat actor targeting manufacturing, construction, IT, telecommunications, and some other industries. Active since last November, the group has completed at least 10 campaigns against Russian organizations. To deliver MetaStealer, Venture Wolf sends out phishing emails with archives containing a .com (occasionally .exe) loader that installs the stealer onto the victim’s device.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

In its choice of decoys, Venture Wolf often uses company registration records, which include banking details and legal addresses. Various adversaries opt for this trick as the mentioning of real organizations makes phishing emails look plausible and lulls the user’s vigilance. It is important to remember that the organizations whose brands are abused in phishing emails are not liable for the actions of criminals and the associated damage.

Venture Wolf sends out emails with an archive that contains a loader and one or more decoy documents. After the victim opens the archive, the stealer is decrypted and installed on the compromised device.

Phishing emails are a popular way of gaining initial access to the IT infrastructure. To protect your mail server, you can use specialized solutions, such as BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of legitimate messages.

To receive information about the cyber threats most relevant to your organization, we recommend using cyber intelligence portals, such as BI.ZONE Threat Intelligence. This data helps to ensure the precision of your security solutions and accelerate incident response.