Carding 4 Carders
Professional
YoroTrooper cyber spies and their plans to steal data from CIS government agencies.
Recently, a new threat appeared on cyberaren – the YoroTrooper group. According to the Cisco Talos research group, the team probably originates from Kazakhstan. Such conclusions were made on the basis of their knowledge of Kazakh and Russian languages, as well as the use of the Kazakh currency tenge to pay for their infrastructure.
The ability of cybercriminals to disguise themselves deserves special attention. YoroTrooper uses various methods to hide their origin, pretending that their activity originates from Azerbaijan, using VPN nodes in this region.
The first mention of the group's actions dates back to March 2023 in the Cisco Talos report. However, according to researchers, hackers have been active since at least June 2022, mainly targeting state structures in the CIS countries. Separately, it should be noted that the ESET information security company tracks the actions of YoroTrooper under the name SturgeonPhisher.
In recent months, the group has stepped up its operations in the CIS countries, using highly specialized software and state-of-the-art vulnerability scanners. The group's latest targets include agencies from Tajikistan, Kyrgyzstan, and Uzbekistan. Information stolen as a result of successful compromises includes credentials from multiple apps, browser history, cookies, system information, and screenshots
Infection chain in the latest YoroTrooper attack
The group's main attack method is Spear – phishing. Attackers distribute malware and redirect victims to their websites to collect credentials. According to analysts, the main goal of the group is data theft.
After information about YoroTrooper's activities became publicly available, the group began to actively upgrade its attack methods. Hackers have moved from the usual malware to custom tools in Python, PowerShell, Golang, and Rust. YoroTrooper's direct links with Kazakhstan are confirmed by their regular security checks of the state postal service mail [.] kz and constant requests for the tenge-to-bitcoin exchange rate.
Recently, a new threat appeared on cyberaren – the YoroTrooper group. According to the Cisco Talos research group, the team probably originates from Kazakhstan. Such conclusions were made on the basis of their knowledge of Kazakh and Russian languages, as well as the use of the Kazakh currency tenge to pay for their infrastructure.
The ability of cybercriminals to disguise themselves deserves special attention. YoroTrooper uses various methods to hide their origin, pretending that their activity originates from Azerbaijan, using VPN nodes in this region.
The first mention of the group's actions dates back to March 2023 in the Cisco Talos report. However, according to researchers, hackers have been active since at least June 2022, mainly targeting state structures in the CIS countries. Separately, it should be noted that the ESET information security company tracks the actions of YoroTrooper under the name SturgeonPhisher.
In recent months, the group has stepped up its operations in the CIS countries, using highly specialized software and state-of-the-art vulnerability scanners. The group's latest targets include agencies from Tajikistan, Kyrgyzstan, and Uzbekistan. Information stolen as a result of successful compromises includes credentials from multiple apps, browser history, cookies, system information, and screenshots
Infection chain in the latest YoroTrooper attack
The group's main attack method is Spear – phishing. Attackers distribute malware and redirect victims to their websites to collect credentials. According to analysts, the main goal of the group is data theft.
After information about YoroTrooper's activities became publicly available, the group began to actively upgrade its attack methods. Hackers have moved from the usual malware to custom tools in Python, PowerShell, Golang, and Rust. YoroTrooper's direct links with Kazakhstan are confirmed by their regular security checks of the state postal service mail [.] kz and constant requests for the tenge-to-bitcoin exchange rate.
