An unknown group attacks government organizations.
Kaspersky Lab has discovered a previously unknown cyber espionage campaign targeting a government organization in the Middle East. The attacker secretly spied on the target and collected sensitive data using an elaborate set of tools designed for stealth and resilience.
The initial malware loader is disguised as the Total Commander installation file. The dropper contains lines from Spanish poems, with the lines changing from one sample to another. This mechanism is aimed at changing the signature of each sample, which complicates detection by traditional methods.
It is also noted that the loader implements additional anti-analysis checks that prevent connection to the C2 server if a debugger or monitoring tool is installed on the system, the cursor position does not change after a certain time, the amount of available RAM is less than 8 GB, and the disk capacity is less than 40 GB.
Malicious code is embedded in the dropper to load the CR4T backdoor. The CR4T implant, developed in C / C++ and GoLang, provides the hacker with access to the console on the infected computer, performs file operations, and loads and unloads files after establishing contact with the C2 server.
In addition, the Golang variant of CR4T is able to provide persistence by using the technique of intercepting COM objects (COM Hijacking) and using the Telegram API to communicate with the C2 server.
Kaspersky Lab's telemetry detected a victim in the Middle East back in February 2024. In addition, at the end of 2023, there were several downloads of the same malware to the semi-public malware scanning service, with a total of more than 30 requests sent. Other sources suspected of being VPN exit nodes are located in South Korea, Luxembourg, Japan, Canada, the Netherlands, and the United States.
Kaspersky Lab has discovered a previously unknown cyber espionage campaign targeting a government organization in the Middle East. The attacker secretly spied on the target and collected sensitive data using an elaborate set of tools designed for stealth and resilience.
The initial malware loader is disguised as the Total Commander installation file. The dropper contains lines from Spanish poems, with the lines changing from one sample to another. This mechanism is aimed at changing the signature of each sample, which complicates detection by traditional methods.
It is also noted that the loader implements additional anti-analysis checks that prevent connection to the C2 server if a debugger or monitoring tool is installed on the system, the cursor position does not change after a certain time, the amount of available RAM is less than 8 GB, and the disk capacity is less than 40 GB.
Malicious code is embedded in the dropper to load the CR4T backdoor. The CR4T implant, developed in C / C++ and GoLang, provides the hacker with access to the console on the infected computer, performs file operations, and loads and unloads files after establishing contact with the C2 server.
In addition, the Golang variant of CR4T is able to provide persistence by using the technique of intercepting COM objects (COM Hijacking) and using the Telegram API to communicate with the C2 server.
Kaspersky Lab's telemetry detected a victim in the Middle East back in February 2024. In addition, at the end of 2023, there were several downloads of the same malware to the semi-public malware scanning service, with a total of more than 30 requests sent. Other sources suspected of being VPN exit nodes are located in South Korea, Luxembourg, Japan, Canada, the Netherlands, and the United States.
