Malware-infected documents found on the Kazakhstan government’s portal
The official website of the Kazakhstan government has hosted documents infected with malware for more than five months, since January this year.
In a report published last week, T&T Security and Zerde Holding, two local security firms, said they identified at least two documents uploaded on the government’s legal and budget-related sections that were installing a version of the Razy malware on users’ systems.
The two files (listed below) were made available via eGov.kz, the Kazakhstan government official portal, where citizens can register to file taxes, interact with various government agencies, and download official documents.
In a video uploaded last week, T&T Security showed how downloading the files prompted users to run an EXE file before opening the requested document.
While the first thought would be that a foreign cyber-espionage group organized a clever watering hole attack to go after targets of interest working for the Kazakhstan government or sensitive business sectors, this does not appear to be the case.
Razy, a malware strain first spotted in 2015, has been usually associated with financially motivated operations, with the vast majority of its features being focused on dumping browser credentials and hijacking users’ clipboards to replace cryptocurrency addresses.
In an interview with The Record earlier today, Matthieu Faou, a malware researcher for Slovak antivirus maker ESET, echoed this assumption.
“So far, I think it is not a targeted campaign,” he said.
Instead, Faou believes that the most likely scenario is that government employees got infected with Razy themselves, through other sources, and the malware used a file spreader (virus) component that ESET tracks as FakeDoc that contaminated other documents stored on their computers, documents that were later uploaded on the official eGov.kz portal.
The Kazakhstan incident marks the second time this year that cybercriminals managed to plant malware on an official government site. The first incident took place last month when a known Chinese cyber-espionage group used the Myanmar president’s website to distribute a backdoor trojan.