October 24, 2023 at 03:55PM
Russian state and industrial organizations have been targeted in a cyber attack using a custom Go-based backdoor. Kaspersky detected the campaign in June 2023 and later found a newer version of the backdoor, indicating ongoing optimization by the attackers. The threat actors behind the attack are unknown, but Kaspersky has shared indicators of compromise to help defenders counter the attacks. The attack begins with a malicious ARJ archive sent via email, which contains a decoy PDF document and an NSIS script that fetches the primary payload from an external URL. The backdoor has various functionalities, including exfiltrating files, obtaining clipboard contents, taking screenshots, and searching for specific file types. The malware also performs checks to evade detection and analysis, and in the newer version, it has added the capability to steal passwords from web browsers and email clients.
Meeting Notes:
– Several state and key industrial organizations in Russia have been attacked with a custom Go-based backdoor that steals data and likely aids espionage operations.
– Kaspersky detected the campaign in June 2023 and identified a newer version of the backdoor with better evasion techniques in mid-August, suggesting ongoing optimization of the attacks.
– The threat actors responsible for the campaign are unknown, and Kaspersky has shared indicators of compromise to help defenders thwart the attacks.
– The attack begins with a malicious ARJ archive sent via email. The archive contains a decoy PDF document and an NSIS script that fetches the primary payload from an external URL address (fas-gov-ru[.]com) and launches it.
– The malware payload is dropped at ‘C:\ProgramData\Microsoft\DeviceSync\’ as ‘UsrRunVGA.exe.’
– Kaspersky detected two more backdoors, ‘Netrunner’ and ‘Dmcserv’, distributed in the same phishing wave but with different C2 server configurations.
– The backdoor has functionality such as listing files and folders, exfiltrating files to the C2, obtaining clipboard contents, grabbing desktop screenshots, searching for specific file extensions, and transferring them to the C2.
– All data sent to the C2 server is AES encrypted to evade detection.
– The malware performs anti-sandbox checks by verifying username, system name, and directory to detect virtualized environments and exits if it detects one.
– A new variant of the backdoor was discovered in mid-August, which includes minor changes and adds a module to steal user passwords stored in 27 web browsers and the Thunderbird email client.
– The targeted browsers include Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex.
– The new version features a refreshed AES key and uses RSA asymmetric encryption to protect client-C2 command and parameter communications.