Technology

Hackers are using Russian domains to launch complex document-based phishing attacks

December 26, 2024

Data exfiltration tactics are shifting toward Russian domains
Remote Access Trojans see a 59% rise in phishing emails
Malicious emails now bypass secure gateways every 45 seconds

New research has found there is a significant increase in malicious email activity as well as a shift in attack strategies.

On average, at least one malicious email bypasses Secure Email Gateways (SEGs), such as Microsoft and Proofpoint, every 45 seconds, marking a notable rise from the previous year’s rate of one every 57 seconds, the Cofense Intelligence’s third-quarter Trends Report showed.

There is a sharp increase in the use of Remote Access Trojans (RATs) which allows attackers to gain unauthorized access to a victim’s system, often leading to data theft or further exploitation.

Rise in Remote Access Trojan (RAT) usage

Remcos RAT, a widely used tool among cybercriminals is a major culprit in the rise of RAT attacks. It allows remote control of infected systems which enables the attacker to exfiltrate data, deploy additional malware, and gain persistent access to compromised networks.

Open redirects as a technique in phishing campaigns are also gaining prominence as the report reveals a 627% increase in its use. These attacks exploit the functionality of legitimate websites to redirect users to malicious URLs, often masking the threat behind well-known and trusted domains.

TikTok and Google AMP are often used to carry out these attacks, taking advantage of their global reach and frequent use by unsuspecting individuals.

The use of malicious Office documents, especially those in .docx format, rose dramatically by nearly 600%. These documents often contain phishing links or QR codes that direct victims to harmful websites.

Microsoft Office documents remain a popular attack vector because of their widespread use in business environments, making them ideal for targeting organizations through spear-phishing campaigns.

Furthermore, there is a significant shift in data exfiltration tactics, with increased usage of .ru and .su top-level domains (TLDs). Domains using the .ru (Russia) and .su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it harder for victims and security teams to track data theft activities.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar