Russian users were phished

Cybersecurity company MalwareBytes informed about a new fraudulent scheme that targets users from Russia.

Attackers send emails in Russian on behalf of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation. They report that the department is starting to monitor and fix access to prohibited sites and web services, the list of which is indicated in the attached document.

The RTF file contains a link that exploits a vulnerability in the MSHTML engine. It allows remote code execution when the user allows the file to be edited, ostensibly to gain access to the full text of the document.

Letters were sent to users with email domains mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru and ukr.net. Based on this, in addition to ordinary users, scammers targeted:

• Official portal of the authorities of the Chuvash Republic;
• Ministry of the Interior;
• Ministry of Education and Science of the Republic of Altai;
• Ministry of Education of the Stavropol Territory;
• Ministry of Education and Science of the Republic of North Ossetia-Alania;
• Government of the Astrakhan Region;
• Ministry of Education of the Irkutsk Region;
• State Services of the Moscow Region;
• Ministry of Science and Higher Education of the Russian Federation.

It is not yet known how many users fell victim to this attack.