Russian IT companies, representatives of the financial and other sectors have begun to be attacked by cyber spies posing as job seekers and inspecting organizations. The attackers share links in letters, allegedly to an archive with a portfolio, presentations, results of a special assessment of working conditions in the company, and other materials. Instead of these documents, the addressees of the letters receive malicious programs on the device to steal data.
The archive contains the XDigo stealer. We recorded the first attacks using this malware back in late 2022. The goal of the attackers is cyber espionage, theft of confidential documents and other information, including passwords from the browser. In particular, for this purpose, the Trojan checks for the presence of browsers in the system. The malware sends the found corporate data to the attackers' control server.
To mislead potential victims, attackers register domains whose names are similar to file hosting services, and then create links that look convincing. Experts at Kaspersky Lab say that their clients have encountered several hundred such messages with signs of targeted mailing in the spring of 2024.
Experts recommend that companies:
- install a reliable security solution that will automatically send such emails to spam;
- regularly conduct cybersecurity training for employees, teach them to recognize social engineering techniques (in the context of information security, social engineering is the psychological manipulation of people in order to perform certain actions, — editor's note).
It is also necessary to use comprehensive solutions that help ensure real-time protection, track threats, investigate and respond to them. These should be solutions at different levels:
- EDR — focused on detecting targeted attacks and complex threats;
- XDR — information security systems designed for automatic proactive detection of threats at various levels of infrastructure, responding to them and countering complex attacks.
Earlier, before the May holidays, another wave of cyberattacks began on Russian companies. Under the guise of letters from partner companies that make pre-trial claims and demand repayment of certain debts, enterprises began to receive malicious files by mail. Thanks to them, attackers tried to penetrate, and in some places did penetrate, the organization's infrastructure.
Read materials on the topic:
Aquarius Cmp NE355 laptop for working with state secrets appeared in Russia
A fake AI application for changing voices steals Russians' personal data
