Hackers backdoor Russian state, industrial orgs for data theft

Trending 1 month ago


Several authorities and cardinal business organizations successful Russia were attacked pinch a civilization Go-based backdoor that performs information theft, apt aiding espionage operations.

Kaspersky first detected nan run successful June 2023, while successful mid-August, nan cybersecurity patient spotted a newer type of nan backdoor that introduced amended evasion, indicating ongoing optimization of nan attacks.

The threat actors responsible for this run are unknown, and Kaspersky was constricted to sharing indicators of discuss that tin thief defenders thwart nan attacks.

Malicious ARJ archives

The onslaught originates pinch an email carrying a malicious ARJ archive named 'finansovyy_kontrol_2023_180529.rar' (financial control), which is simply a Nullsoft archive executable.

The archive contains a decoy PDF archive utilized for distracting nan unfortunate and an NSIS book that fetches nan superior payload from an outer URL reside (fas-gov-ru[.]com) and launches it.

The malware payload is dropped astatine 'C:\ProgramData\Microsoft\DeviceSync\' arsenic 'UsrRunVGA.exe.'

Fetching nan payloadGet bid to fetch nan payload
Source: Kaspersky

Kaspersky says nan aforesaid phishing activity distributed 2 much backdoors named 'Netrunner' and 'Dmcserv.' These are nan aforesaid malware pinch different C2 (command and control) server configurations.

The book launches nan malicious executables successful a hidden model and adds a Start Menu nexus to found persistence.

Attack concatenation diagramAttack concatenation diagram
Source: Kaspersky

The functionality of nan backdoor includes nan following:

  • List files and folders successful a specified directory.
  • Transfer (exfiltrate) files from nan big to nan C2.
  • Obtain clipboard contents.
  • Grab desktop screenshots.
  • Search disk for files of circumstantial extensions (.doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .zip, .rar, .7z, .odt, .ods, .kdbx, .ovpn, .pem, .crt, .key) and transportation them to nan C2.

All information sent to nan C2 server is first AES encrypted to evade discovery from web monitoring solutions.

To evade analysis, nan malware performs username, strategy name, and directory checks to observe if it's moving successful a virtualized situation and exits if it does.

The results of these checks are sent to nan C2 successful nan first shape of nan infection to beryllium utilized for unfortunate profiling.

Sandbox checksAnti-sandbox checks
Source: Kaspersky

New type steals passwords

In mid-August, Kaspersky noticed a caller version of nan backdoor that featured insignificant changes for illustration nan removal of immoderate noisy preliminary checks and nan summation of caller file-stealing capabilities.

Most notably, nan caller type adds a module that targets personification passwords stored successful 27 web browsers and nan Thunderbird email client.

Browsers targeted by nan latest backdoor type see Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex, a celebrated and trusted browser successful Russia.

The AES cardinal has been refreshed successful this malware version, and RSA asymmetric encryption has been added to protect client-C2 bid and parameter communications.