Cybercriminals spend millions buying malware.
Specialists of the Solar 4RAYS cyber threat research Center discovered and studied the activities of the highly professional hacker group Shedding Zmiy. Experts said that the attackers used the compromised data of Russian companies not only for subsequent attacks, but also published them in the public domain. At the same time, the main goal of the group, according to the researchers, was not financial gain, but theft of confidential information.
Solar 4RAYS could not accurately attribute the origin of the group, but noted several features that are characteristic of this grouping. First, the stolen data was published in pro-Ukrainian Telegram channels. Secondly, in terms of the tools used, Shedding Zmiy is associated with other groups (Cobalt, exCobalt, Shadow, Comet, Twelve, "about the origin of which there is a certain opinion in the cyber threat research community"). Third, the attack logs contained commands in Ukrainian and Russian. Finally, Shedding Zmiy's targets were mostly Russian organizations.
According to experts, the group poses a serious threat to the Russian Federation. It uses both publicly available and its own unique malware. Hackers sometimes used compromised legitimate servers to install malware on victims systems. Shedding Zmiy is able to confuse traces: the group owns "an extensive network of command servers on the territory of Russia, rents resources from various hosting providers and on cloud platforms; this helps hackers bypass blocking attacks on a territorial basis (by GeoIP)."
At first glance, isolated incidents with similar signs of HPE use, vulnerabilities, and infrastructure were combined by experts into a single cluster. In total, Solar 4RAYS specialists found traces of the use of 35 different tools at the stages of exploration, delivery of malware, distribution over the network and data theft. Hackers used at least 20 known vulnerabilities in popular enterprise software to break into the network, escalate privileges, and secure it.
In addition to technical means, Shedding Zmiy willingly resorted to social engineering. So, in one case, the attackers created a fake Telegram account, posing as an employee of the information security service of the victim company, in order to ask the real employee for a password to log in to the system. Using a compromised account, the attackers managed to visit several more hosts where they placed the VPO.
Since the beginning of 2022, the group has managed to attack several dozen Russian companies from the state, industrial, telecommunications and other key sectors. Solar 4RAYS did not disclose the names of specific victims.
According to experts, Shedding Zmiy consists of separate teams of different specializations: pentesters, HPE developers, operators and administrators. A minimum of 5-6 highly qualified employees of various profiles and a serious budget are required to prepare such attacks, including funds for the purchase of commercial malware such as SystemBC, EkipaRAT and DarkGate.
On underground forums, offers for the sale of DarkGate reach approximately $100,000 for an annual license. The development of the arsenal itself costs an order of magnitude more than the cost of a copy of the software-that is, not $100,000, but $1 million, experts say. In turn, the cost of an attack is already an order of magnitude higher than the cost of development — it includes both several utilities and a considerable resource of the attackers themselves.
Hackers themselves demonstrate the highest level of development. In particular, they created a whole framework for automated exploitation of one of the vulnerabilities. This indicates that significant time and financial resources have been invested in the development of the group's malware arsenal.
Specialists of the Solar 4RAYS cyber threat research Center discovered and studied the activities of the highly professional hacker group Shedding Zmiy. Experts said that the attackers used the compromised data of Russian companies not only for subsequent attacks, but also published them in the public domain. At the same time, the main goal of the group, according to the researchers, was not financial gain, but theft of confidential information.
Solar 4RAYS could not accurately attribute the origin of the group, but noted several features that are characteristic of this grouping. First, the stolen data was published in pro-Ukrainian Telegram channels. Secondly, in terms of the tools used, Shedding Zmiy is associated with other groups (Cobalt, exCobalt, Shadow, Comet, Twelve, "about the origin of which there is a certain opinion in the cyber threat research community"). Third, the attack logs contained commands in Ukrainian and Russian. Finally, Shedding Zmiy's targets were mostly Russian organizations.
According to experts, the group poses a serious threat to the Russian Federation. It uses both publicly available and its own unique malware. Hackers sometimes used compromised legitimate servers to install malware on victims systems. Shedding Zmiy is able to confuse traces: the group owns "an extensive network of command servers on the territory of Russia, rents resources from various hosting providers and on cloud platforms; this helps hackers bypass blocking attacks on a territorial basis (by GeoIP)."
At first glance, isolated incidents with similar signs of HPE use, vulnerabilities, and infrastructure were combined by experts into a single cluster. In total, Solar 4RAYS specialists found traces of the use of 35 different tools at the stages of exploration, delivery of malware, distribution over the network and data theft. Hackers used at least 20 known vulnerabilities in popular enterprise software to break into the network, escalate privileges, and secure it.
In addition to technical means, Shedding Zmiy willingly resorted to social engineering. So, in one case, the attackers created a fake Telegram account, posing as an employee of the information security service of the victim company, in order to ask the real employee for a password to log in to the system. Using a compromised account, the attackers managed to visit several more hosts where they placed the VPO.
Since the beginning of 2022, the group has managed to attack several dozen Russian companies from the state, industrial, telecommunications and other key sectors. Solar 4RAYS did not disclose the names of specific victims.
According to experts, Shedding Zmiy consists of separate teams of different specializations: pentesters, HPE developers, operators and administrators. A minimum of 5-6 highly qualified employees of various profiles and a serious budget are required to prepare such attacks, including funds for the purchase of commercial malware such as SystemBC, EkipaRAT and DarkGate.
On underground forums, offers for the sale of DarkGate reach approximately $100,000 for an annual license. The development of the arsenal itself costs an order of magnitude more than the cost of a copy of the software-that is, not $100,000, but $1 million, experts say. In turn, the cost of an attack is already an order of magnitude higher than the cost of development — it includes both several utilities and a considerable resource of the attackers themselves.
Hackers themselves demonstrate the highest level of development. In particular, they created a whole framework for automated exploitation of one of the vulnerabilities. This indicates that significant time and financial resources have been invested in the development of the group's malware arsenal.
