< br />
MOSCOW, September 27 A large Russian cybersecurity company, Positive Technologies, has discovered the Dark River group, which attacks Russian enterprises using tools for espionage and theft of confidential information, the company said.
«»A new group operating dangerous malware, which researchers called Dark River, is purposefully attacking enterprises <…>, investing serious financial and intellectual resources in the development of its tools. The architecture and transport system developed at a high technological level allow its backdoor ( program installed by the hacker — ed.) operate unnoticed in the compromised infrastructure for a long time for the purpose of espionage and stealing confidential information,” the company said.
Experts suggest that the attack begins with a phishing email that contains a “.docx” file – and the contents of the document are structured in such a way that the recipient has to open editing mode. When this mode is enabled, a resource controlled by cybercriminals may be loaded. Similar letters were sent to Russian enterprises in August-September 2022.
The backdoor is well disguised: the names of its executable files are similar to the names of legitimate software installed on infected machines, and a number of samples have a valid digital signature. The developers hid the malicious code from analysis and detection using various types of packers that compress files to make detection of the malware as difficult as possible.
«The main feature of the MataDoor backdoor is that it is unprecedentedly complex compared to what we have seen before. A large and complex transport system allows you to flexibly configure communication with the operator team, with the server, to remain hidden and undetected. This malware can operate even in logically isolated networks, extracting and transmitting data from anywhere,” said Maxim Andreev, senior specialist in the information security threat research department at Positive Technologies.
The company's researchers first discovered such an attack mechanism through MataDoor while investigating an incident last year. Currently, no more than four cases of MataDoor being used in cyber attacks are known, all of them were aimed at large organizations.