Cybercriminals debut Russian remote access software for targeted attacks
Attackers tend to employ foreign remote access tools to gain persistence in the infrastructure of a compromised company. The most popular programs for this purpose are TeamViewer, AnyDesk, and Ammyy Admin. They were often used by companies themselves for various business purposes, hence the corporate security services could not block such programs. However, many Russian organizations are switching to domestic software, so blocking foreign applications that may be exploited by intruders is now possible. The Quartz Wolf group has adapted its attacks: to bypass traditional defenses, it leverages domestic remote access products. This increases the attackers’ chances of remaining undetected in the infrastructure.
Criminals send phishing emails on behalf of the Federal Hotel Service company, which helps transmit registration data and migration records to the Russian Ministry of Internal Affairs. In the messages, the attackers allegedly inform about the changes in the registration procedure that have come into force, which must be urgently read via the attached link. The user downloads an archive, opens it, and, unknowingly, runs the malicious file. This installs the Russian remote access solution ASSISTANT, a program used internally by various companies.
Remote access allows the threat actors to take control of a compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc. This opens up a wide range of opportunities for the intruders, from stealing business system credentials and transferring customer data onto a third-party server to making transactions via banking software on behalf of the victim.
Phishing emails remain one of the primary methods of gaining initial access in targeted attacks. To protect against them, BI.ZONE experts recommend using specialized solutions that block spam and malicious emails. Services that offer continuous IT perimeter monitoring can ensure an effective response to new threats. They allow companies to quickly recognize advanced attacks and neutralize them.