Full Report
A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT. "The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and
Analysis Summary
# Incident Report: Multi-Stage Phishing Campaign with Amnesia RAT and Ransomware
## Executive Summary
A sophisticated, multi-stage phishing campaign was observed targeting users in Russia, employing social engineering via business-themed documents to deliver the Amnesia RAT and subsequently, ransomware. The attackers utilized multiple public cloud services (GitHub and Dropbox) for payload distribution, which complicated takedown efforts. A key technique involved using a legitimate tool, `defendnot`, to disable Microsoft Defender protection before deploying final-stage malware.
## Incident Details
- **Discovery Date:** Week of publication (Implied, based on technical breakdown release).
- **Incident Date:** Ongoing at time of reporting.
- **Affected Organization:** Various users/entities targeted in Russia.
- **Sector:** Not explicitly stated, but implied to involve entities handling business/financial documents.
- **Geography:** Russia.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified (Campaign initiation).
- **Vector:** Email-based social engineering (phishing).
- **Details:** Attackers delivered compressed archives containing decoy documents and a malicious Windows shortcut file (.LNK) with Russian-language filenames (e.g., "Задание_для_бухгалтера_02отдела.txt.lnk"). The double extension disguised the LNK file as a text file.
### Lateral Movement
- A PowerShell script was retrieved from GitHub to establish a foothold.
- A subsequent VBScript payload was executed, loading the final-stage script into memory.
- The final script attempted to gain elevated privileges via repeated UAC prompts.
- Privilege was used to configure Microsoft Defender exclusions and disable other Defender components.
### Data Exfiltration/Impact
- The final stage involved deploying main payloads, including **Amnesia RAT** and **Ransomware**. (Specific details on exfiltration tactics post-RAT deployment were truncated).
### Detection & Response
- **How it was discovered:** Analysis conducted by Fortinet FortiGuard Labs.
- **Response actions taken:** Unknown for the victim organizations; Fortinet published a technical breakdown to aid defense.
## Attack Methodology
- **Initial Access:** Social engineering via business-themed documents delivered in archives, leading to the execution of a malicious LNK file.
- **Persistence:** Implied via the deployment of Amnesia RAT post-stage execution.
- **Privilege Escalation:** Forced by a final-stage script repeatedly triggering UAC prompts until elevated permissions were granted.
- **Defense Evasion:** Hiding PowerShell console window execution; generating and opening a decoy document to distract the user; configuring Defender exclusions; using the `defendnot` tool to register a fake AV product, causing Microsoft Defender to disable itself.
- **Credential Access:** Not explicitly detailed, but expected post-RAT deployment.
- **Discovery:** Conducted environment reconnaissance after initial persistence was achieved.
- **Lateral Movement:** Using PowerShell scripts and subsequent VBScript controllers.
- **Collection:** Not explicitly detailed, but expected via Amnesia RAT.
- **Exfiltration:** Not explicitly detailed (Amnesia RAT capability).
- **Impact:** Deployment of ransomware and establishment of a persistent remote access channel via Amnesia RAT.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Likely sensitive data collection/loss due to the presence of a sophisticated RAT (Amnesia RAT).
- **Operational:** High risk of operational disruption due to ransomware deployment.
- **Reputational:** Potential damage pending successful ransomware negotiation or data leakage.
## Indicators of Compromise
- **Network indicators (defanged):** Payload retrieval from `github[.]com/Mafin111/MafinREP111`; communication using the Telegram Bot API.
- **File indicators:** Malicious `.LNK` file (e.g., "Задание_для_бухгалтера_02отдела.txt.lnk"); file `SCRRC4ryuk.vbe`.
- **Behavioral indicators:** Programmatic suppression of PowerShell visibility; delayed execution (444-second pause); memory-only payload assembly; use of `defendnot` to spoof AV registration.
## Response Actions
- **Containment measures:** Not detailed for victims; external analysis focused on technical breakdown publication.
- **Eradication steps:** Dependent on successful identification and removal of Amnesia RAT and ransomware artifacts.
- **Recovery actions:** Dependent on backup status and ransomware encryption severity.
## Lessons Learned
- **Key takeaways:** Attackers are leveraging public cloud services for resilient multi-stage payload hosting (separating scripts on GitHub from binaries on Dropbox). Sophisticated multi-stage execution conceals malicious activity from the user and initial security monitoring. Abuse of legitimate security bypass tools like `defendnot` is a highly effective defense evasion technique.
- **What could have been done better:** Improved email/gateway filtering to block compressed archives; enhanced behavioral monitoring to detect UAC abuse or attempts to modify Defender configurations.
## Recommendations
- Implement stronger controls on executing LNK files originating from email or untrusted archives.
- Deploy advanced endpoint detection and response (EDR) capable of detecting in-memory script execution and suspicious PowerShell command-line arguments.
- Harden UAC settings and strictly monitor for applications attempting to disable security products like Microsoft Defender.
- Utilize security tools that can detect the presence or attempted use of tools designed to masquerade as legitimate security solutions (e.g., `defendnot`).