Our experts from the Global Research and Analysis Team (GReAT) have investigated a new wave of targeted emails from the ForumTroll APT group. Whereas previously their malicious emails were sent to public addresses of organizations, this time the attackers have targeted specific individuals \u2014 scientists from Russian universities and other organizations specializing in political science, international relations, and global economics. The purpose of the campaign was to infect victims\u2019 computers with malware to gain remote access thereto.<\/p>\n
The attackers sent the emails from the address support@e-library{.}wiki<\/em>, which imitates the address of the scientific electronic library eLibrary (its real domain is elibrary.ru<\/a>). The emails contained personalized links to a report on the plagiarism check of some material, which, according to the attackers\u2019 plan, was supposed to be of interest to scientists.<\/p>\n In reality, the link downloaded an archive from the same e-library{.}wiki <\/em>domain. Inside was a malicious .lnk<\/em> file and a .Thumbs<\/em> directory with some images that were apparently needed to bypass security technologies. The victim\u2019s full name was used in the filenames of the archive and the malicious link-file.<\/p>\n In case the victim had doubts about the legitimacy of the email and visited the e-library{.}wiki<\/em> page, they were shown a slightly outdated copy of the real website.<\/p>\n If the scientist who received the email clicked on the file with the .lnk<\/em> extension, a malicious PowerShell script was executed on their computer, triggering a chain of infection. As a result, the attackers installed a commercial framework Tuoni for red teams<\/a> on the attacked machine, providing the attackers with remote access and other opportunities for further compromising the system. In addition, the malware used COM Hijacking to achieve persistency, and downloaded and displayed a decoy PDF file, the name of which also included the victim\u2019s full name. The file itself, however, was not personalized \u2014 it was a rather vague report in the format of one of the Russian plagiarism detection systems.<\/p>\n Interestingly, if the victim tried to open the malicious link from a device running on a system that didn\u2019t support PowerShell, they were prompted to try again from a Windows computer. A more detailed technical analysis of the attack, along with indicators of compromise, can be found in a post on the Securelist website<\/a>.<\/p>\n The malware used in this attack is successfully detected and blocked by Kaspersky\u2019s security products. We recommend installing a reliable security solution not only on all devices used by employees to access the internet<\/a>, but also on the organization's mail gateway<\/a>, which can stop most threats delivered via email before they reach an employee\u2019s device.<\/p>\n\n","protected":false},"excerpt":{"rendered":" GReAT experts have analyzed a new targeted campaign by the ForumTroll APT group.<\/p>\n","protected":false},"author":2706,"featured_media":55053,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[499,19,605],"class_list":{"0":"post-55052","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apt","10":"tag-email","11":"tag-great"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/forumtroll-hunts-for-political-scientists\/55052\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/forumtroll-hunts-for-political-scientists\/30053\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/forumtroll-hunts-for-political-scientists\/25119\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/forumtroll-hunts-for-political-scientists\/29929\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/forumtroll-hunts-for-political-scientists\/41112\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/forumtroll-hunts-for-political-scientists\/30134\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/forumtroll-hunts-for-political-scientists\/35823\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/forumtroll-hunts-for-political-scientists\/35479\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55052"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55052\/revisions"}],"predecessor-version":[{"id":55057,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55052\/revisions\/55057"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55053"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What happens if the victim clicks on the malicious link<\/h2>\n
How to stay safe<\/h2>\n