Russian Service Center attack
News | 07/13/2018

Cyber criminals targeting Russian Service Centers

About: Fortinet discovered a series of attacks targeting service centers in Russia. These service centers offer maintenance and support for various electronic goods. The distinctive feature of this attack is multi stage launching. Let us read more about th...  Read More  

| News | Cyber criminals targeting Russian Service Centers

While phishing attacks against banks in Russia is not a new thing; the recent attacks carried out against the “certifying body” offering maintenance and support for various electronics goods is worth looking at!

Russian Service Centers were deceived by attackers who launched a phishing email campaign exploiting 17-year–old vulnerability in MS office. The vulnerability tracked as CVE-2017-11882 is a memory consumption issue that affects all versions of Microsoft Office including the latest office version i.e. 365 and could be triggered on all version of Windows Operating system including Windows 10. This bug could be exploited by cyber criminals to execute malicious code. This is done by tricking victims to open a especially crafted malicious file.

The first Russian Service Center attack was observed in March by FortiGuard Labs when spear phishing emails were sent by the crooks to a service center of Samsung’s electronic devices.

The analysis reveals that 50 domains were registered by the crooks on the same day to carry out phishing attacks and to deliver malware.

The contents of the email were in Russian language and include an attachment named ‘Symptom_and_repair_code_list.xlsx’.

Russian Service Center attack


The distinctive feature of Russian Service Center attack is its multiple staged launching. Each email sent included a different XLSX file that utilized a shell code to gain access to: LoadLibraryA and GetProcAddress functions or in other words gain access to library functions and address of DLL (Dynamic Link Library) functions. DLL plays an important role in code modularization.

The “URLDownloadToFileW and ExpandEnvironmentStringsW” are the two most important functions imported by Shellcode.

The purpose of these functions is to download a file from a url and store the downloaded payload to some specific location.

In order to evade detection the final payload then uses multiple layer multi packer protection.

First stage: The first layer of protection involves the popular ConfuserEx packer. ConfuserEx is an open-source protector for .NET applications that advanced security to applications written in VB, C#, F# and other .NET languages.

Second stage: The second stage of protection is determined by resources that are encrypted using DES (Data Encryption Standard) and executes decrypted file named BootstrapCS. BootstrapCS contains multiple anti analysis checks and the resources section determines which checks should be performed. These checks are necessary to avoid the code execution in virtualized environment.

Third Stage: This stage of payload uses simple XOR algorithm with the KEY = 0x20 for encryption and is represented by a binary resource names mainfile.

Based on the values in the settings resource file, the payload is injected into a process once it is de-crypted. The stage 3 of the payload allows malicious code to control victim’s PC including the webcam.

Hits: 48

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866