A new spearphishing attack, code-named EastWind, seeks to infect the Russian government and IT institutions with several Trojan horses and backdoors.
As part of a spear-phishing campaign codenamed EastWind, a new campaign aims to deliver multiple backdoors and trojans to the Russian government and IT organizations.
The EastWind attack chains are distinguished by the use of RAR archive attachments that contain a Windows shortcut (LNK) file. Opening the LNK file initiates the infection sequence, which leads to the deployment of malware like GrewApacha, an upgraded CloudSorcerer backdoor, and an implant called PlugY that was previously unreported.
According to Russian cybersecurity firm Kaspersky, PlugY is “downloaded through the CloudSorcerer backdoor, has an extensive set of commands, and supports three different protocols for communicating with the command-and-control server.”
The first infection vector is based on a booby-trapped LNK file that uses DLL side-loading techniques to start a malicious DLL file that communicates with Dropbox to carry out commands for reconnaissance and download more payloads.
One piece of malware that was used with the DLL was GrewApacha, a backdoor that was previously connected to the APT31 organization, which is connected to China. It is also launched via DLL side-loading, and it stores a Base64-encoded string of the real C2 server utilizing a GitHub profile under the control of the attacker as a dead drop resolver.
On the other hand, CloudSorcerer is an advanced cyber espionage tool that uses Dropbox, Yandex Cloud, and Microsoft Graph cloud architectures for data collection, exfiltration, and covert surveillance. The revised version, like GrewApacha, makes use of reputable websites like LiveJournal and Quora.
“As with previous versions of CloudSorcerer, profile bios contain an encrypted authentication token to interact with the cloud service,” Kaspersky stated.
Moreover, it makes use of an encryption-based defense mechanism that makes sure the malware only detonates on the victim’s machine through the use of a special key that is generated at runtime using the Windows GetTickCount() function.
The third family of malware seen in the EastWind attacks is called PlugY. It is a fully functional backdoor with the ability to execute shell commands, log keystrokes, watch device screens, and capture clipboard contents. It communicates to a management server via TCP, UDP, or named pipes.
According to Kaspersky, an examination of PlugX’s source code revealed parallels with DRBControl, also known as Clambling, a backdoor that has been linked to threat clusters with a China nexus that are monitored as APT27 and APT41.
“The attackers behind the EastWind campaign used popular network services as command servers—GitHub, Dropbox, Quora, as well as Russian LiveJournal and Yandex Disk,” the business stated.
The revelation occurs. Kaspersky also described a watering hole attack in which a legitimate Russian gas supply website is compromised in order to disseminate a worm called CMoon. This worm is capable of collecting sensitive information, including payment details, taking screenshots, downloading more malware, and initiating distributed denial-of-service (DDoS) attacks against targets of interest.
Aside from different web browsers, cryptocurrency wallets, instant messaging apps, SSH clients, FTP software, video recording and streaming apps, authenticators, remote desktop tools, and VPNs, the malware also gathers files and data from these sources.
“CMoon is a worm written in.NET with wide functionality for data theft and remote control,” it stated. “The executable file starts monitoring the linked USB disks as soon as it is installed. This enables you to copy a worm to attackers and infect other systems where the drive will be utilized, in addition to stealing files from portable media that might be of interest to them.”
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
