{
	"id": "b05911ba-d762-46c6-a03d-7717c3f1ed27",
	"created_at": "2026-04-06T00:14:49.884414Z",
	"updated_at": "2026-04-10T03:21:25.692054Z",
	"deleted_at": null,
	"sha1_hash": "b61b83bc5f52945fbbe6283daa35bf0c3a28da39",
	"title": "Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 237358,
	"plain_text": "Study of a targeted attack on a Russian enterprise in the\r\nmechanical-engineering sector\r\nPublished: 2024-03-11 · Archived: 2026-04-05 19:05:26 UTC\r\nDownload PDF\r\nMarch 11, 2024\r\nIntroduction\r\nIn October 2023, Doctor Web was contacted by a Russian mechanical-engineering enterprise that suspected\r\nmalware was on one of its computers. Our specialists investigated this incident and determined that the affected\r\ncompany had encountered a targeted attack. During this attack, malicious actors had sent phishing emails with an\r\nattachment containing the malicious program responsible for the initial system infection and installing other\r\nmalicious instruments in the system.\r\nThe goal of this attack was to collect sensitive information about the employees as well as to gather data about the\r\ncompany’s infrastructure and its internal network. In addition, we detected that data had been uploaded from the\r\ninfected computer; this included files stored on the computer and screenshots taken while the malware was in\r\noperation.\r\nGeneral information about the attack and the tools involved\r\nIn early October 2023, malicious actors sent several phishing emails to the email address of the affected company.\r\nThe subject of the messages was related to an “investigation” of certain criminal cases of tax evasion. These\r\nemails were supposedly sent on behalf of an investigator with the Investigative Committee of the Russian\r\nFederation and contained two attachments. The first one was a password-protected ZIP archive. It concealed a\r\nmalicious program which, when executed, initiated the system infection process. The second attachment, a PDF\r\ndocument, was not malicious. It contained a phishing text stating that all the information about the “criminal case”\r\nwas in the archive and encouraged the user to open the malicious program from it.\r\nThe very first such phishing message contained the ZIP archive Трeбoвaниe 19098 Cлед ком РФ от 02.10.23\r\nПАРОЛЬ - 123123123.zip. For its part, the trojan app in it was concealed in the file Перечень юридических лиц\r\nи предприятий, уклонение от уплаты налогов, требования и дополнительные.exe.\r\nOne of the last messages sent is the one shown below:\r\nhttps://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5\r\nPage 1 of 4\n\nThe phishing PDF document Требование следователя, уклонение от уплаты налогов (запрос в рамках\r\nУД).pdf and the ZIP archive Трeбoвaниe 19221 СК РФ от 11.10.2023 ПАРОЛЬ - 123123123.zip were attached\r\nto it. The archive contained the following items:\r\nSimilar to in their earlier messages, the attackers indicated the password for extracting files from the archive, both\r\nin its name and in the name of the document Пароль для открытия 123123123.odt. This document itself, as well\r\nas the files Права и обязанности и процедура ст. 164, 170, 183 УПК РФ.pdf and the СК РФ.png, were not\r\nmalicious.\r\nThis archive contained two copies of the trojan application: Перечень предприятий, уклонение от уплаты\r\nналогов, а также дополнительные материалы.exe and Дополнительные материалы, перечень вопросов,\r\nнакладные и первичные документы.exe.\r\nIn all cases, Trojan.Siggen21.39882 was the malicious program distributed by attackers. This malware, also\r\nknown as WhiteSnake Stealer, is sold on the DarkNet and is used to steal account data from a variety of software\r\nand to hijack other data. Moreover, it can download and install other malicious apps on attacked computers. In the\r\ntargeted attack in question, it was assigned the role of initiating the first infection stage. After receiving the\r\ncorresponding commands, this trojan collected and transmitted to the attackers information about configuring Wi-Fi network profiles in the infected system as well as the passwords for accessing them. It then launched an SSH\r\nproxy server and installed the second stage in the system.\r\nThe second stage, and simultaneously the threat actors’ main instrument, was the JS.BackDoor.60 malicious\r\nbackdoor program. It was the tool through which the main interaction between the attackers and the infected\r\nsystem took place. One of the backdoor’s features is that it uses its own JavaScript framework. The trojan consists\r\nof the primary obfuscated body and additional modules that, owing to the specifics of the malware’s architecture,\r\nare simultaneously a trojan component and the tasks that it executes via the JavaScript functions they share. The\r\ntrojan receives new tasks from its C\u0026C server, and de facto they turn it into a multi-component threat with\r\nexpandable functionality, which allows it to be used as a powerful cyberespionage instrument.\r\nThe mechanism that JS.BackDoor.60 used to provide itself with the autorun ability is also of interest. Along with\r\nemploying a traditional method—adding necessary changes to the Windows registry—the trojan modified the\r\nshortcut files (.lnk) in a specific way. For this, it verified the contents of a number of system directories, including\r\nthe Desktop and taskbar directories. For all the shortcut files it found in them (excluding Explorer.lnk or\r\nПроводник.lnk), it assigned the program wscript.exe as a target app for launching. At the same time, it added\r\nspecial arguments for its execution, one of which was the Alternate Data Stream (or ADS), in which the backdoor\r\nbody was written. As a result of the changes, the modified shortcuts launched the JS.BackDoor.60 first, and only\r\nafter that―the initial programs.\r\nhttps://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5\r\nPage 2 of 4\n\nThroughout the whole attack, malicious actors were actively sending various commands to the backdoor. With its\r\nhelp, they stole the contents of dozens of directories from the infected computer, which contained both personal\r\nand corporate data. Moreover, we found evidence that the trojan had created screenshots.\r\nThe additional spying instrument in this attack was the BackDoor.SpyBotNET.79 malicious program, which was\r\nused for audio surveillance and for recording conversations through the microphone attached to the infected\r\ncomputer. This trojan recorded audio only when it detected a certain sound intensity―in particular, one\r\ncharacteristic of a voice.\r\nAt the same time, the attackers also tried to infect the system with the Trojan.DownLoader46.24755 downloader\r\ntrojan, but failed due to an error that occurred.\r\nThe chronology of the attack is shown in the next illustration:\r\nThe chronology of the tasks received by JS.BackDoor.60:\r\nThe analysis conducted by our specialists did not clearly indicate the involvement of any of the previously known\r\nAPT groups in this attack.\r\nFor detailed technical descriptions of the malicious programs detected, please refer to the PDF version of the\r\nstudy or visit the Doctor Web virus library.\r\nMore details on Trojan.Siggen21.39882\r\nMore details on JS.BackDoor.60\r\nhttps://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5\r\nPage 3 of 4\n\nMore details on BackDoor.SpyBotNET.79\r\nMore details on Trojan.DownLoader46.24755\r\nConclusion\r\nThe use of malicious instruments, which are available as a commercial service (MaaS ― Malware as a Service),\r\nsuch as Trojan.Siggen21.39882, allows even relatively inexperienced malicious actors to carry out quite sensitive\r\nattacks against both businesses and government agencies. For its part, social engineering still poses a serious\r\nthreat. This is a relatively simple but effective way to bypass a built-in protection layer, and it can be used by both\r\nexperienced and novice cybercriminals. In this regard, it is especially important to ensure that the entire\r\ninfrastructure of an enterprise is protected, including its workstations and email gateways. Moreover, it is\r\nrecommended to conduct periodic training sessions for employees on the topic of information security and to\r\nfamiliarize them with current digital threats. All these measures will help reduce the likelihood of cyber incidents\r\nand minimize the damage from attacks.\r\nIndicators of compromise\r\nSource: https://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5\r\nhttps://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://news.drweb.com/show/?i=14823\u0026lng=en\u0026c=5"
	],
	"report_names": [
		"?i=14823\u0026lng=en\u0026c=5"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b61b83bc5f52945fbbe6283daa35bf0c3a28da39.pdf",
		"text": "https://archive.orkl.eu/b61b83bc5f52945fbbe6283daa35bf0c3a28da39.txt",
		"img": "https://archive.orkl.eu/b61b83bc5f52945fbbe6283daa35bf0c3a28da39.jpg"
	}
}