A nation-state actor with links to China is suspected of becoming behind a sequence of assaults from industrial corporations in Eastern Europe that took area final 12 months to siphon facts stored on air-gapped techniques.
Cybersecurity firm Kaspersky attributed the intrusions with medium to substantial assurance to a hacking crew identified as APT31, which is also tracked under the monikers Bronze Vinewood, Judgement Panda, and Violet Hurricane (previously Zirconium), citing commonalities in the strategies noticed.
The assaults entailed the use of extra than 15 distinctive implants and their variants, broken down into a few broad types based mostly on their potential to set up persistent distant obtain, obtain sensitive details, and transmit the collected facts to actor-managed infrastructure.
“One of the implant types appeared to be a refined modular malware, aimed at profiling detachable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial businesses in Eastern Europe,” Kaspersky claimed.
“The other sort of implant is made for stealing details from a community laptop or computer and sending it to Dropbox with the enable of the upcoming-phase implants.”
A person set of backdoors consists of various variations of a malware relatives known as FourteenHi that have been put to use considering that at least mid-March 2021 and which appear with a wide spectrum of features to add and obtain arbitrary files, run instructions, get started a reverse shell, and erase their individual presence from the compromised hosts.
A next first-stage backdoor made use of for remote obtain and original knowledge gathering is MeatBall, which possesses abilities to listing functioning procedures, enumerate connected gadgets, complete file functions, seize screenshots, and self-update alone.
Also learned is a 3rd form of 1st-phase implant that tends to make use of Yandex Cloud for command-and-manage, mirroring comparable results from Positive Technologies in August 2022 detailing APT31 attacks concentrating on Russian media and energy providers.
“The tendency to abuse cloud providers (e.g., Dropbox, Yandex, Google, etcetera.) is not new, but it proceeds to broaden, because it is hard to limit / mitigate in conditions when an organization’s business procedures rely on working with this kind of expert services,” Kaspersky researchers said.
“Danger actors preserve producing it extra difficult to detect and assess threats by hiding payloads in encrypted form in independent binary information information and by hiding malicious code in the memory of respectable programs through DLL hijacking and a chain of memory injections.”
APT31 has also been noticed employing focused implants for collecting area documents as nicely as exfiltrating info from air-gapped units by infecting detachable drives.
The latter malware pressure consists of at least 3 modules, with every single ingredient accountable for unique tasks, this sort of as profiling and handling detachable drives, recording keystrokes and screenshots, and planting next-stage malware on freshly linked drives.
“The threat actor’s deliberate endeavours to obfuscate their steps by encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their practices,” Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, explained.
“Though exfiltrating info from air-gapped networks is a recurrent technique adopted by a lot of APTs and focused cyberespionage strategies, this time it has been intended and carried out uniquely by the actor.”
Though the aforementioned assault chains are expressly engineered for the Windows setting, there is proof that APT31 has set its sights on Linux devices as effectively.
Previously this month, the AhnLab Protection Emergency Response Center (ASEC) uncovered attacks probable carried out by the adversary against South Korean providers with the objective of infecting the equipment with a backdoor identified as Rekoobe.
“Rekoobe is a backdoor that can obtain instructions from a [command-and-control] server to perform many capabilities this kind of as downloading destructive documents, thieving inner information from a process, and executing reverse shell,” ASEC claimed.
“Whilst it may possibly appear very simple in composition, it employs encryption to evade community packet detection and can accomplish a assortment of destructive behaviors by means of commands from the danger actor.”
