JSC GREC Makeyev and other Russian entities under attack

A cyberespionage campaign hit multiple Russian organizations, including JSC GREC Makeyev, a major defense contractor, exploiting a recently disclosed zero-day.

Security researchers from Malwarebytes uncovered multiple attacks targeting many Russian organizations, including JSC GREC Makeyev, a company that develops liquid and solid fuel for Russia’s ballistic missiles and space rocket program.

Threat actors behind the cyberespionage campaign orchestrated spear-phishing attacks, the messages sent to the target organizations used weaponized Office documents.

The documents were crafted to exploit the CVE-2021-40444 Internet Explorer flaw and pose to be sent by the company’s HR department.

Recently Microsoft has warned of multiple threat actors, including ransomware operators, that are exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations.

The IT giant says that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

Now Malwarebytes observed multiple attacks exploiting the same MSHTML vulnerability aimed at Russian entities.

“The email claims to come from the Human Resources (HR) department of the organization.

It says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.” reads the post published by Malwarebytes.

“The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.”

Another bait document used in the attacks claims to originate from the Ministry of the Interior in Moscow. The name of the document translates to “Notification of illegal activity,” its content asks the recipient to fill out the form and return it to the Ministry of Internal affairs or reply to this email within 7 days.

The nature of the targets suggests that the attacks were part of a cyberespionage campaign carried out by a state-sponsored actor, but at the time of this writing the experts did not attribute it to a specific actor.

A joint report published by Rostelecom-Solar and the FSB National Coordination Center for Computer Incidents (NKTsKI) revealed in May that foreign hackers have stolen information from Russian federal agencies.

The attacks were spotted in 2020, threat actors leveraged spear-phishing attacks, exploitation of vulnerabilities in web applications, hacking the infrastructure of contractors to penetrate the infrastructure of the Russian federal executive authorities.

Experts believe that threat actors behind the intrusions are sophisticated cyber mercenaries engaged by a foreign state.

Early this year, the Russian intelligence agency FSB issued a security alert to warn Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack.The alert was issued after officials of the new Biden administration declared that attacks like the SolarWinds ones could trigger a response of their government.

The Russian government always denied any involvement in the SolarWinds attack. The Russian National Coordination Center for Computer Incidents (NKTSKI) published a security bulletin to warn Russian businesses of the imminent risk of cyber attacks as a retaliation for the SolarWinds attacks that US Government agencies attributed to Moscow.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, JSC GREC Makeyev)

[adrotate banner=”5″]

[adrotate banner=”13″]