Doctor Web Specialists discovered a malicious copy of the website of the Federal Bailiff Service (FSSP) of Russia. Hackers use a fake site to infect users with the Trojan.DownLoader28.58809 Trojan.
Externally, the fake discovered by the researchers almost does not differ from the original, but, unlike the official site, it still incorrectly displays some elements.
If you try to click on some links on the site, the user will be redirected to a page with a warning about the need to update Adobe Flash Player. At the same time, an .exe file will be downloaded to the user's device, upon launch of which Trojan.DownLoader28.58809 will be installed.
This trojan is installed at startup, connects to the management server and downloads another malicious module – Trojan.Siggen8.50183. In addition, a file with a valid Microsoft digital signature and designed to run the main malicious library is downloaded to the user's device. After that, the malware collects information about the user's system and sends it to its management server. After installation, the trojan will always be launched on the user's device and will be able to perform various actions on command from the management server. So, a trojan can:
- Get disk information
- Get file information
- get information about the folder (find out the number of files, subfolders and their size);
- get a list of files in a folder;
- delete files;
- create a folder;
- move the file;
- start the process;
- stop the process;
- Get a list of processes.
According to researchers, hackers have not yet launched large-scale malicious campaigns using this fake site, but it could be used in attacks against individual users or organizations.
Compromise indicators have already been published on github.