Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
The Positive Technologies Security Expert Center (PT Expert Security Center, PT ESC) has identified new attacks of the APT31 group and studied its new tools — malware that uses remote access functions and allows attackers to control the victim's computer or network. Phishing, one of the most common types of social engineering, became the initial vector of attacks. According to experts, in total, from January to July of this year, more than a dozen malicious mailings were sent around the world, and traces of intruders were found in Mongolia, the United States, Canada and the Republic of Belarus. Now the APT31 group, known for attacks on government agencies in various countries, has also become active in Russia.
As part of the threat intelligence study, PT Expert Security Center specialists found mailings sent to Mongolia with malicious content that was not previously encountered. Subsequently, similar attacks were detected in Russia, the United States, Canada and the Republic of Belarus. A detailed analysis of malware, as well as numerous intersections in terms of functionality, techniques and mechanisms used-from the introduction of malicious code to the logical blocks and structures used-allowed Positive Technologies experts to correlate the identified samples with the activity of the APT31 group.
APT31 (aka Hurricane Panda and Zirconium) has been active since at least 2016, with its key interests being cyber espionage and collecting sensitive data of strategic importance. The group has a particular interest in the public sector around the world: its victims have at various times been the Government of Finland, and presumably the Governments of Norway and Germany. A number of researchers suggest that APT31 is also behind a series of attacks on organizations and individuals close to US presidential candidates during the 2020 election campaign. Other targets of the grouping include aerospace and defense enterprises, international financial companies, the high-tech sector, the telecommunications industry and the media.
In the course of investigating one of the latest malware samples, PT ESC specialists found a link to the phishing domain inst. rsnet-devel[.] com, which imitates the domain of federal government bodies and state authorities of constituent entities of the Russian Federation for the Internet segment. According to Positive Technologies experts, such a malicious domain is designed to mislead both civil servants themselves and those companies that work with government agencies.
Positive Technologies participates in the exchange of data on computer incidents within the framework of the GosSOPKA system, which is coordinated by the National Computer Incident Coordination Center (NCCC), cert.gov.ru). As part of this initiative, Russian companies in those industries that are currently at high risk will receive appropriate notifications from the center.
"In recent years, phishing remains one of the most effective tools in the hands of attackers. To increase the effectiveness of phishing attacks, attackers create objects that mimic the information resources of government agencies, use authentic documents and other reliable information obtained during computer attacks. This allows them to generate emails that arouse the trust of recipients, and opening such emails leads to intruders entering the system in order to steal information, financial information, and carry out destructive actions. Recently, information systems of state bodies have become one of the main targets of cyber groups ' aspirations. To successfully counteract such attacks, it is necessary to promptly disseminate information about the means and methods of attacks used by attackers and how to detect them. This mechanism is implemented within the framework of GosSOPKA, " said Nikolai Murashov, Deputy Director of the National Coordination Center for Computer Incidents.
"Over the past year, APT31 has developed new versions of malware that attackers are actively using today, and the group's infrastructure, as we can see, is also growing — all this, coupled with the fact that the group has not previously attacked Russia, suggests that it is expanding the geography of interests to countries where its growing activity can be detected, In particular, it affects our country — " says Denis Kuvshinov, head of the Information Security Threat Research department at Positive Technologies. — We believe that in the near future, the use of other tools by this group in attacks, including on Russia, will also be revealed, which can be identified by code compliance or network infrastructure."
In the APT31 attacks studied by PT ESC specialists in January — July of this year, the attackers used the same dropper. According to the study, its task is to create a malicious library and an application vulnerable to DLL Sideloading on an infected computer. The application launched by the dropper calls one of the functions of the loaded malicious library, after which control is transferred to the malicious code.
"In fact, the detected malware is a remote access Trojan (RAT) that allows the APT group to track and control the computers or network of its victims," said Daniil Koloskov, senior specialist in the Information Security Threat Research Department at Positive Technologies. — It is worth noting the trick of the VPO developers: to “bring” the malicious library closer to the original version, it was named MSVCR100.dll — a library with the exact same name is included in Visual C++ for Microsoft Visual Studio and is available on almost all computers. In addition, it contains names that can be found in the legitimate version as exports. MSVCR100.dll".
During the analysis of malware instances, PT ESC specialists found different versions of droppers containing the same set of functions. At the same time, in some cases, for example, during attacks on Mongolia, the dropper was signed with a valid digital signature. According to Positive Technologies experts, it was most likely stolen, which also indicates a well-prepared grouping.
The PT Expert Security Center team continues to monitor the activity of the APT31 group in Russia and other countries and does not predict a decrease in the number of its cyber attacks in the coming months. According to the company's experts, an organization can detect such attacks and counteract them using information security incident detection systems (SIEM), deep traffic analysis systems (NTA), and sandbox solutions. To reduce the potential window of opportunity for attackers, Positive Technologies experts recommend that companies add the indicators of compromise presented in the report to their security tools, and their employees should promptly inform information security officers about spam mailings received.
----
Chinese hackers have targeted dozens of IT systems used by Russian government organizations and IT companies. Hackers are using an updated version of the Cloudsorcerer malware.
New attacks on state organizations in Russia
Information security specialists from Kaspersky Lab have identified an active series of targeted cyber attacks on dozens of computers of Russian government organizations and IT companies. This was announced in mid-August 2024 by the publication Bleepingcomputer.
During these cyberattacks, hackers infected devices with phishing emails with attachments containing malicious shortcut files. When you clicked on the shortcuts, malware was installed, which then received commands via the Dropbox cloud storage. Using this software, the attackers downloaded additional Trojans to infected computers, in particular tools used by the APT31 cyber group, as well as an updated Cloudsorcerer backdoor. Kaspersky Lab called this campaign Eastwind.
The APT27 hacker group is known for its IT attacks on government organizations, large corporations, and international organizations. The group is also known as Emissary Panda and Threat Group-3390. APT27 has its roots in China and has been the focus of cybersecurity since the beginning of 2010. The group is engaged in espionage, theft of confidential information and conducting cyber attacks on large organizations around the world.
The APT31 grouping (also known as Zirconia or Judgment Panda), known since 2016, and its characteristic feature is a specific vector of cyber attacks, namely: exploiting vulnerabilities in applications such as Java and Adobe Flash, using previously unknown zero-day vulnerabilities from Equation. At various times, the governments of Finland, Norway and Germany became victims of the group. A number of experts believe that this group conducted attacks on Microsoft Exchange in the UK and the US, on organizations and individuals close to US presidential candidates during the 2020 election campaign, attacks in France in 2021. Some experts also suggest that this group has Chinese roots.
According to Kaspersky Lab, the GrewApacha Trojan program, downloaded by attackers from the Dropbox cloud storage, has been used by the APT31 group since at least 2021. The Cloudsorcerer backdoor has been updated and now uses profiles in the LiveJournal blog and on the Quora Q & A site as the initial command server. Cyber attacks use a previously unknown Plugy implant with the functionality of a classic backdoor. The plugin is loaded via the Cloudsorcerer backdoor, has an extensive set of commands, and supports three different protocols for communicating with the command center. In addition, its code is similar to the DRBControl backdoor code (also known as Clambling), which several information security companies attribute to the APT27 grouping.
Technical information
Hackers used targeted phishing for the initial infection. Attackers sent malicious emails with attached rar archives to email addresses belonging to affected organizations. The archives had the following names: initiative group from Chernihiv region of Primorsky Krai.rar; вх.гаг. They contained the following files: Folder .con that stored: legitimate decoy document 1.docx, a legitimate file desktop.exe and a malicious file VERSION.dll.
It is noteworthy that a similar method of infection was used in a cyber attack on one organization in the United States using the Cloudsorcerer backdoor-this was reported by Proofpoint in July 2024.
Hackers use the classic DLL sideloading technique: when running a file desktop.exe a malicious library is loaded into the corresponding process VERSION.dll. This library is a backdoor packaged using the VMProtect tool. When it starts, it tries to contact the Dropbox cloud service using a hard-coded authentication token. Once connected to the cloud, the backdoor reads the commands that need to be executed from the <computer name>/a.psd file contained in the storage. In total, the backdoor supports five commands with the following names: dir, exec, sleep, upload, dawnload. The results of these commands are uploaded to the cloud storage in the <computer name>/b.psd file.
APT31 Dimension
According to information security specialists from Kaspersky Lab, Chinese hackers used the backdoor described above to collect information about infected computers and install additional malware on them. When did the attackers run the file? msedgeupdate.exe, a malicious library was loaded into its process using the dll sideloading method msedgeupdate.dll.
Although the set of three files resembles the "trinity" characteristic of Plugx IT attacks, analysis of these files showed that they are the Grewapacha rat Trojan of the APT31 group, which was previously described in 2021 and 2023. Loader behavior (msedgeupdate.dll) hasn't changed a year later. As before, it decrypts the payload stored on disk using an xor key and loads it into the process. dllhost.exe.
The rat Trojan itself is also not much different from what was described in 2023. However, hackers have made small changes to its work: for example, the new version uses two management servers instead of one. As the initial server, attackers use the profile biography in the GitHub service — it contains a Base64-encoded string that the Trojan reads. The malware decodes and then decrypts the string extracted from the GitHub profile using a single-byte XOR algorithm with the key 0x09, thereby obtaining the address of the main management server (for the screenshot above, update.studiokaspersky[.]com).
Detecting traces of an identified IT attack
The Trojans identified during the cyberattack are very different from each other. Therefore, it is necessary to use a separate set of compromise indicators to detect each of them.
In order to detect the work of a backdoor distributed via email and using Dropbox to interact with intruders, you can search for relatively large dll files (more than 5 MB). The work of this backdoor may also be indicated by regular access to the Dropbox cloud in network traffic.
The Grewapacha Trojan of the APT31 group can be detected by searching for an unsigned file named msedgeupdate.dll on the file system. This file is also several MB in size. The Plugy implant delivered via the Cloudsorcerer backdoor starts a process called msiexec.exe for each user logged in to the IT system, and also creates named channels with a name template. The presence of these two indicators on the IT system with a high degree of confidence indicates infection.
During attacks on Russian government organizations, hackers often use IT toolkits that implement a variety of techniques and tactics. When developing these tools, they put a lot of effort into masking malicious activity in network traffic as much as possible. So, hackers behind the Eastwind campaign used popular network services such as GitHub, Dropbox, Quora, as well as the Russian LiveJournal and Yandex.Disk as command servers.
Notably, Eastwind detected malware from two different Chinese-language groups: APT27 and APT31. This example clearly shows that APT groups often work together, actively sharing their knowledge and IT tools for cyber attacks.
As part of the threat intelligence study, PT Expert Security Center specialists found mailings sent to Mongolia with malicious content that was not previously encountered. Subsequently, similar attacks were detected in Russia, the United States, Canada and the Republic of Belarus. A detailed analysis of malware, as well as numerous intersections in terms of functionality, techniques and mechanisms used-from the introduction of malicious code to the logical blocks and structures used-allowed Positive Technologies experts to correlate the identified samples with the activity of the APT31 group.
APT31 (aka Hurricane Panda and Zirconium) has been active since at least 2016, with its key interests being cyber espionage and collecting sensitive data of strategic importance. The group has a particular interest in the public sector around the world: its victims have at various times been the Government of Finland, and presumably the Governments of Norway and Germany. A number of researchers suggest that APT31 is also behind a series of attacks on organizations and individuals close to US presidential candidates during the 2020 election campaign. Other targets of the grouping include aerospace and defense enterprises, international financial companies, the high-tech sector, the telecommunications industry and the media.
In the course of investigating one of the latest malware samples, PT ESC specialists found a link to the phishing domain inst. rsnet-devel[.] com, which imitates the domain of federal government bodies and state authorities of constituent entities of the Russian Federation for the Internet segment. According to Positive Technologies experts, such a malicious domain is designed to mislead both civil servants themselves and those companies that work with government agencies.
Positive Technologies participates in the exchange of data on computer incidents within the framework of the GosSOPKA system, which is coordinated by the National Computer Incident Coordination Center (NCCC), cert.gov.ru). As part of this initiative, Russian companies in those industries that are currently at high risk will receive appropriate notifications from the center.
"In recent years, phishing remains one of the most effective tools in the hands of attackers. To increase the effectiveness of phishing attacks, attackers create objects that mimic the information resources of government agencies, use authentic documents and other reliable information obtained during computer attacks. This allows them to generate emails that arouse the trust of recipients, and opening such emails leads to intruders entering the system in order to steal information, financial information, and carry out destructive actions. Recently, information systems of state bodies have become one of the main targets of cyber groups ' aspirations. To successfully counteract such attacks, it is necessary to promptly disseminate information about the means and methods of attacks used by attackers and how to detect them. This mechanism is implemented within the framework of GosSOPKA, " said Nikolai Murashov, Deputy Director of the National Coordination Center for Computer Incidents.
"Over the past year, APT31 has developed new versions of malware that attackers are actively using today, and the group's infrastructure, as we can see, is also growing — all this, coupled with the fact that the group has not previously attacked Russia, suggests that it is expanding the geography of interests to countries where its growing activity can be detected, In particular, it affects our country — " says Denis Kuvshinov, head of the Information Security Threat Research department at Positive Technologies. — We believe that in the near future, the use of other tools by this group in attacks, including on Russia, will also be revealed, which can be identified by code compliance or network infrastructure."
In the APT31 attacks studied by PT ESC specialists in January — July of this year, the attackers used the same dropper. According to the study, its task is to create a malicious library and an application vulnerable to DLL Sideloading on an infected computer. The application launched by the dropper calls one of the functions of the loaded malicious library, after which control is transferred to the malicious code.
"In fact, the detected malware is a remote access Trojan (RAT) that allows the APT group to track and control the computers or network of its victims," said Daniil Koloskov, senior specialist in the Information Security Threat Research Department at Positive Technologies. — It is worth noting the trick of the VPO developers: to “bring” the malicious library closer to the original version, it was named MSVCR100.dll — a library with the exact same name is included in Visual C++ for Microsoft Visual Studio and is available on almost all computers. In addition, it contains names that can be found in the legitimate version as exports. MSVCR100.dll".
During the analysis of malware instances, PT ESC specialists found different versions of droppers containing the same set of functions. At the same time, in some cases, for example, during attacks on Mongolia, the dropper was signed with a valid digital signature. According to Positive Technologies experts, it was most likely stolen, which also indicates a well-prepared grouping.
The PT Expert Security Center team continues to monitor the activity of the APT31 group in Russia and other countries and does not predict a decrease in the number of its cyber attacks in the coming months. According to the company's experts, an organization can detect such attacks and counteract them using information security incident detection systems (SIEM), deep traffic analysis systems (NTA), and sandbox solutions. To reduce the potential window of opportunity for attackers, Positive Technologies experts recommend that companies add the indicators of compromise presented in the report to their security tools, and their employees should promptly inform information security officers about spam mailings received.
----
Chinese hackers have targeted dozens of IT systems used by Russian government organizations and IT companies. Hackers are using an updated version of the Cloudsorcerer malware.
New attacks on state organizations in Russia
Information security specialists from Kaspersky Lab have identified an active series of targeted cyber attacks on dozens of computers of Russian government organizations and IT companies. This was announced in mid-August 2024 by the publication Bleepingcomputer.
During these cyberattacks, hackers infected devices with phishing emails with attachments containing malicious shortcut files. When you clicked on the shortcuts, malware was installed, which then received commands via the Dropbox cloud storage. Using this software, the attackers downloaded additional Trojans to infected computers, in particular tools used by the APT31 cyber group, as well as an updated Cloudsorcerer backdoor. Kaspersky Lab called this campaign Eastwind.
The APT27 hacker group is known for its IT attacks on government organizations, large corporations, and international organizations. The group is also known as Emissary Panda and Threat Group-3390. APT27 has its roots in China and has been the focus of cybersecurity since the beginning of 2010. The group is engaged in espionage, theft of confidential information and conducting cyber attacks on large organizations around the world.
The APT31 grouping (also known as Zirconia or Judgment Panda), known since 2016, and its characteristic feature is a specific vector of cyber attacks, namely: exploiting vulnerabilities in applications such as Java and Adobe Flash, using previously unknown zero-day vulnerabilities from Equation. At various times, the governments of Finland, Norway and Germany became victims of the group. A number of experts believe that this group conducted attacks on Microsoft Exchange in the UK and the US, on organizations and individuals close to US presidential candidates during the 2020 election campaign, attacks in France in 2021. Some experts also suggest that this group has Chinese roots.
According to Kaspersky Lab, the GrewApacha Trojan program, downloaded by attackers from the Dropbox cloud storage, has been used by the APT31 group since at least 2021. The Cloudsorcerer backdoor has been updated and now uses profiles in the LiveJournal blog and on the Quora Q & A site as the initial command server. Cyber attacks use a previously unknown Plugy implant with the functionality of a classic backdoor. The plugin is loaded via the Cloudsorcerer backdoor, has an extensive set of commands, and supports three different protocols for communicating with the command center. In addition, its code is similar to the DRBControl backdoor code (also known as Clambling), which several information security companies attribute to the APT27 grouping.
Technical information
Hackers used targeted phishing for the initial infection. Attackers sent malicious emails with attached rar archives to email addresses belonging to affected organizations. The archives had the following names: initiative group from Chernihiv region of Primorsky Krai.rar; вх.гаг. They contained the following files: Folder .con that stored: legitimate decoy document 1.docx, a legitimate file desktop.exe and a malicious file VERSION.dll.
It is noteworthy that a similar method of infection was used in a cyber attack on one organization in the United States using the Cloudsorcerer backdoor-this was reported by Proofpoint in July 2024.
Hackers use the classic DLL sideloading technique: when running a file desktop.exe a malicious library is loaded into the corresponding process VERSION.dll. This library is a backdoor packaged using the VMProtect tool. When it starts, it tries to contact the Dropbox cloud service using a hard-coded authentication token. Once connected to the cloud, the backdoor reads the commands that need to be executed from the <computer name>/a.psd file contained in the storage. In total, the backdoor supports five commands with the following names: dir, exec, sleep, upload, dawnload. The results of these commands are uploaded to the cloud storage in the <computer name>/b.psd file.
APT31 Dimension
According to information security specialists from Kaspersky Lab, Chinese hackers used the backdoor described above to collect information about infected computers and install additional malware on them. When did the attackers run the file? msedgeupdate.exe, a malicious library was loaded into its process using the dll sideloading method msedgeupdate.dll.
Although the set of three files resembles the "trinity" characteristic of Plugx IT attacks, analysis of these files showed that they are the Grewapacha rat Trojan of the APT31 group, which was previously described in 2021 and 2023. Loader behavior (msedgeupdate.dll) hasn't changed a year later. As before, it decrypts the payload stored on disk using an xor key and loads it into the process. dllhost.exe.
The rat Trojan itself is also not much different from what was described in 2023. However, hackers have made small changes to its work: for example, the new version uses two management servers instead of one. As the initial server, attackers use the profile biography in the GitHub service — it contains a Base64-encoded string that the Trojan reads. The malware decodes and then decrypts the string extracted from the GitHub profile using a single-byte XOR algorithm with the key 0x09, thereby obtaining the address of the main management server (for the screenshot above, update.studiokaspersky[.]com).
Detecting traces of an identified IT attack
The Trojans identified during the cyberattack are very different from each other. Therefore, it is necessary to use a separate set of compromise indicators to detect each of them.
In order to detect the work of a backdoor distributed via email and using Dropbox to interact with intruders, you can search for relatively large dll files (more than 5 MB). The work of this backdoor may also be indicated by regular access to the Dropbox cloud in network traffic.
The Grewapacha Trojan of the APT31 group can be detected by searching for an unsigned file named msedgeupdate.dll on the file system. This file is also several MB in size. The Plugy implant delivered via the Cloudsorcerer backdoor starts a process called msiexec.exe for each user logged in to the IT system, and also creates named channels with a name template. The presence of these two indicators on the IT system with a high degree of confidence indicates infection.
During attacks on Russian government organizations, hackers often use IT toolkits that implement a variety of techniques and tactics. When developing these tools, they put a lot of effort into masking malicious activity in network traffic as much as possible. So, hackers behind the Eastwind campaign used popular network services such as GitHub, Dropbox, Quora, as well as the Russian LiveJournal and Yandex.Disk as command servers.
Notably, Eastwind detected malware from two different Chinese-language groups: APT27 and APT31. This example clearly shows that APT groups often work together, actively sharing their knowledge and IT tools for cyber attacks.
