Cybersecurity specialists from F.A.C.C.T. are warning Russian companies about attacks by Narketing163. Enterprises in more than twenty countries have already suffered from these attackers: from Kazakhstan, Azerbaijan, Armenia, Bulgaria, Ukraine, Turkey, and the USA to Norway, Sri Lanka, Luxembourg, and Mexico. "Letters of misfortune" from Narketing163 are also being received in Russia.
As experts note, Narketing163 sends emails, hiding behind email addresses with top-level domains tr, az, com, kz, pe, info, net, imitating activity from real companies. At the same time, the attacker's IP addresses were constantly changing in the mailings. In the sent emails, he left return email addresses, which he presumably registered himself: narketing163@gmail[.]com, tender12@mail[.]com, verconas@mail[.]com, kubrayesti@gmail[.]com.
The subject matter of the emails is usually related to commercial offers for services and goods, delivery times, order processing and payment, and is addressed to companies from various fields of activity: e-commerce, retail, chemical industry, construction, medicine, insurance, and the food industry. The recipient of the letter is offered to download an attached file for complete information about the commercial offer, which contains malicious content.
In its attacks, Narketing163 uses various malware written for Windows OS: RedLine Stealer, Agent Tesla, FormBook, also known as Formgrabber, Snake Keylogger. Each of the malware is designed for different purposes of fraudsters:
- RedLine Stealer collects data about the victim's OS, performs hacker tasks in it, and also engages in file grabbing. The program downloads information from the browsers of the infected device, all logins and passwords, cookies, autofill and credit card data, information from FTP clients and IM clients;
- Agent Tesla, when it gets on the device, captures the victim's camera, collects all information about the infected device, steals password data from applications and browsers. If necessary, it can download other malicious programs from the outside and run them on the victim's device;
- FormBook (FormBookFormgrabber) steals data from browsers, FTP clients, and messengers. The malware is injected into processes and tracks keystrokes, steals clipboard data, and extracts data from HTTP sessions;
- Snake Keylogger records and transmits data from user keystrokes to attackers: usernames, passwords, bank card details, and other information.
To protect against this type of attack, F.A.C.C.T. experts recommend:
- use software solutions to protect email, detect and respond to cyber threats, and proactively analyze cyber threats;
- regularly update installed software;
- conduct employee training and test phishing attacks to check how well employees can recognize a cyber threat.
Corporate users are also advised to pay attention to a number of signs of a letter from Internet fraudsters. You should be wary if:
- the letter was received without notification from potential partners and it does not correspond to the specifics of the company;
- the company rarely works with foreign clients/partners or does not work at all, but received a letter in a foreign language: conditionally, in Azerbaijani, English or Turkish;
- the subject of the letter indicates "URGENT REQUEST", or other wording to manipulate recipients and put pressure on them;
- the received letter does not mention the individuality and mention the name, employees, products of the addressed company. That is, the letter may be a universal mass mailing;
- the letter contains spelling errors: they are often used by attackers to bypass spam filters;
- the sender of the letter has a suspicious email address that mimics the corporate mail of a large company. You should check the address on the official website of the company on whose behalf you are offered a partnership;
- the letter contains links to any sites without an SSL certificate (with the abbreviation http instead of https) or with suspicious domains. You should not follow such links, and if in doubt, you should check the legitimacy of the domains in search engines);
- there are suspicious attachments in the letters. You should not download files from untrusted sources.
Read materials on the topic:
Microsoft Replacement: Russian RED SOFT talks about plans for the future
Unicorn Spy Virus Attacks Russian Developers and Suppliers of Electronic Components
Rostelecom Denies Information Leak from Electronic Summons Registry Website
