The APT russian actor “Office Monkeys” is able to perform low-profile attacks against high-value targets after in depth surveillance. The campaign is currently targeting government organizations, research institutions, and think tanks in democratic countries. The actor uses compromised legitimate website to host their spear-phishing end-points and command and control centers. Its spear-phishing attack delivers malware payload via code-protected .zip files attached to the email (with the code to extract it in the body), or by embedding a link to a compromised .zip.
The recent “Post-USA-Election” spear-phishing campaign that the actor has put in place confirms the general attack behavior. However, on the basis of a quick research, this time the “monkeys” are massively exploiting network monitoring services in order to use them as C&C servers.