Cybercriminals debut Russian remote access software for targeted attacks

The BI.ZONE Cyber Threat Intelligence team has detected attacks on the hospitality industry by a new group called Quartz Wolf. This is the first time a Russian remote access solution has been used against local companies. That is how criminals bypass conventional defenses and successfully gain a foothold in the business infrastructure

July 19, 2023

Attackers tend to employ foreign remote access tools to gain persistence in the infrastructure of a compromised company. The most popular programs for this purpose are TeamViewer, AnyDesk, and Ammyy Admin. They were often used by companies themselves for various business purposes, hence the corporate security services could not block such programs. However, many Russian organizations are switching to domestic software, so blocking foreign applications that may be exploited by intruders is now possible. The Quartz Wolf group has adapted its attacks: to bypass traditional defenses, it leverages domestic remote access products. This increases the attackers’ chances of remaining undetected in the infrastructure.

Criminals send phishing emails on behalf of the Federal Hotel Service company, which helps transmit registration data and migration records to the Russian Ministry of Internal Affairs. In the messages, the attackers allegedly inform about the changes in the registration procedure that have come into force, which must be urgently read via the attached link. The user downloads an archive, opens it, and, unknowingly, runs the malicious file. This installs the Russian remote access solution ASSISTANT, a program used internally by various companies.

Remote access allows the threat actors to take control of a compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc. This opens up a wide range of opportunities for the intruders, from stealing business system credentials and transferring customer data onto a third-party server to making transactions via banking software on behalf of the victim.

By using legitimate tools, attackers can remain undetected on a compromised network for an extended period of time, especially if such software is already utilized by the organization. In the Quartz Wolf example, we can see that the threat actors keep looking for new legitimate software to abuse. They alter their methods so that their attacks still look like normal user activity.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

Phishing emails remain one of the primary methods of gaining initial access in targeted attacks. To protect against them, BI.ZONE experts recommend using specialized solutions that block spam and malicious emails. Services that offer continuous IT perimeter monitoring can ensure an effective response to new threats. They allow companies to quickly recognize advanced attacks and neutralize them.

@media only screen and (min-width: 320px) and (max-width: 390px) { .articleDetail .quote__authorName, .articleDetail .quote__text, .eventProgramm__date, .eventProgramm__title, .fs-h5, .h5, .headBlock__text, .headSection--news .headSection__text, .headSection__text, .newsDetail .quote__authorName, .newsDetail .quote__text, .participants__title, .popup__title, .sectionFullImage__text, .stepList .button, .stepList .button span, .stepList__title, .toggleBox .iconLine__title, .toggleBox__title, div.card__title, div.cFiltered__length, div.productDetail__subtitle, div.review__authorName, div.timer__title, div.toggleBox .iconLine__title, div.toggleBox__title, div.toggleEvent__bannerTitle, div.v-banner__title, h5 { font-size: 18px; line-height: 20px; } } @media only screen and (min-width: 320px) and (max-width: 390px) { .fs-h2, .h2, .headBlock h1, .headSection--1 h1, .headSection--2 h1, .headSection--4 h1, .headSection--news h1, .resultForm h1, .sectionEvents__title, .sectionExp__title, .sectionFullImage__title, .sectionProduct__title, h2 { font-size: 28px; line-height: 32px; } }