China

A series of targeted cyber attacks that began in late July 2024, targeting dozens of systems used by Russian government organizations and IT companies, have been linked to Chinese hackers from the APT31 and APT 27 groups.

Kaspersky, which discovered this activity, named the campaign “East Wind”, reporting that it CloudSorcerer backdoor May 2024 saw a similar cyber-espionage campaign, which also targeted Russian government agencies.

It should be noted that CloudSorcerer’s activity is not linked to Russia, as Proofpoint recorded the attack. Targeting a US-based think tank In May 2024.

East Wind Toolkit

The initial infection relies on phishing emails with a RAR archive attachment named after the target, which acts as a sideloading DLL to drop a backdoor from Dropbox onto the system, opening the document for fraud.

The backdoor can navigate the file system, execute commands, extract data, or introduce additional payloads on the compromised machine.

Kaspersky Observations revealed that attackers used a backdoor to introduce a Trojan called ‘Trojan’Cervical apacha.,’ which has been associated with APT31.

The latest version of GrewApacha has some improvements compared to the last analytical version of 2023, including using two command servers instead of one, storing their addresses in a base64-encoded string on GitHub profiles from where Malware reads it.

C2 address "hidden" In public profiles
C2 address “hidden” in public profiles
Source: Kaspersky

Another malware full of backdoors is the latest version. CloudSorcerer Loaded with VMProtect for theft.

CloudSorcerer uses an encryption protection mechanism designed to prevent its execution on non-targeted systems using a unique key generation process linked to the victim machine.

After execution, a utility (GetKey.exe) generates a unique four-byte number from the current system state and encrypts it using the Windows crypt-protect data function to obtain a unique, system-bound ciphertext. is

If an attempt is made to implement the malware on another machine, the generated key will be different, so CloudSorcerer payload decryption will fail.

The main GetKey function
The main GetKey function
Source: Kaspersky

The new version of CloudSorcerer also uses public profile pages to get its initial C2 address but has now switched from GitHub to using Quora and the Russian social media network LiveJournal for this purpose.

Introduced by CloudSorcered, EastWind is the third implant seen in the attacks. Plug yA previously unknown backdoor.

Plug-Y is highly versatile in its C2 communications and capable of executing commands for file operations, shell command execution, screen capturing, key logging, and clipboard monitoring.

Kaspersky’s analysis suggests that the code used in PlugY has been previously seen in attacks by the APT27 threat group.

Also, the library used for C2 communications via the UDP protocol is only found in DRBControl and PlugX, which are malware tools widely used by Chinese threat actors.

Code similarity between DRBControl (left) and PlugY (right).
Code similarity between DRBControl (left) and PlugY (right).
Source: Kaspersky

Kaspersky commented that, as the backdoors used in Eastwind attacks vary significantly, it is difficult to detect all of them on a compromised machine. A few things to keep in mind:

  • DLL files are larger than 5MB in size in the ‘C:\Users\Public’ directory.
  • Unsigned ‘msedgeupdate.dll’ files in the file system.
  • A running process named ‘msiexec.exe’ for each logged in user

The Russian cybersecurity firm concluded that APT27 and APT31 were likely working together at EastWind.

The case highlights the complex interactions between allied nations with active cyber espionage operations against each other despite strong diplomatic ties and shared strategic goals.

Cooperation in the economic, security and military sectors does not prevent intelligence agencies operating in the shadows from launching sophisticated and narrowly targeted espionage operations to gather valuable intelligence.



Source link