The Russian government and IT organizations are being targeted by a new company that is delivering a series of backdoors and trojans in a phishing campaign codenamed East Wind.
Attack chains are characterized by the use of RAR archive attachments containing a Windows Shortcut (LNK) file which, when opened, activates an infection sequence that culminates in the deployment of malware such as GrewApacha, an updated version CloudSorcerer backdoor, and a previously undocumented implant called PlugY.
PlugY “is downloaded through the CloudSorcerer backdoor, has an extensive set of commands, and supports three different protocols to communicate with the command-and-control server,” Russian cybersecurity company Kaspersky said. said.
The initial infection vector relies on a mined LNK file that uses DLL sideloading methods to run a malicious DLL that uses Dropbox as a communication mechanism to execute intelligence commands and download additional payloads.
Among the malware deployed using DLLs, GrewApacha is a well-known backdoor earlier connected connected to China APT31 group. Also launched via DLL sideloading, it uses an attacker-controlled GitHub profile as a dead drop resolution to store the Base64 encoded string of the actual C2 server.
CloudSorcerer, on the other hand, is a sophisticated cyberespionage tool used for covert monitoring, data collection, and extortion through the cloud infrastructure of Microsoft Graph, Yandex Cloud, and Dropbox. As with GrewApacha, the updated variant uses legitimate platforms such as LiveJournal and Quora as its initial C2 server.
“Like previous versions of CloudSorcerer, profile bios contain an encrypted authentication token for interacting with the cloud service,” Kaspersky said.
In addition, it uses an encryption-based protection mechanism that ensures the detonation of malware only on the victim’s computer using a unique key obtained from Windows. GetTickCount() function. during execution.
The third malware family seen in the attacks is PlugY, a full-featured backdoor that connects to the management server using TCP, UDP, or named pipes and comes with capabilities to execute shell commands, monitor the device screen, log keystrokes, and capture clipboard content.
Kaspersky said that an analysis of the PlugX source code revealed similarities with a known backdoor called DRBControl (aka Climbing), which was attributed to to China-related threat clusters tracked as APT27 and APT41.
“The attackers behind the EastWind company used popular network services — GitHub, Dropbox, Quora, as well as Russian LiveJournal and Yandex Disk — as command servers,” the company said.
In the disclosure, Kaspersky also details the watering hole attack, which involved hacking into a legitimate site related to gas supplies in Russia in order to distribute a worm called CMoon that can collect sensitive and payment data, take screenshots, download additional malware, and launch a distributed denial-of-service service (DDoS) attacks on interesting targets.
The malware also collects files and data from various web browsers, cryptocurrency wallets, instant messengers, SSH clients, FTP programs, video recording and streaming programs, authenticators, remote desktop tools, and VPNs.
“CMoon is a worm written in .NET with extensive functionality for data theft and remote control.” said. “Immediately after installation, the executable begins to monitor connected USB drives. This allows to steal files of potential interest to attackers from removable media, as well as to copy the worm to them and infect other computers that will use the drive,” the report says. “
