August 12, 2024 at 12:27AM
Russian government and IT organizations are targets of a spear-phishing campaign, codenamed EastWind. The attack deploys backdoors and trojans through booby-trapped LNK files, leveraging DLL side-loading techniques. Malware variants GrewApacha, CloudSorcerer, and PlugY are used for espionage, exfiltration, and data theft via various platforms including Dropbox and GitHub. Additionally, a watering hole attack involving the CMoon worm is detailed. (Words: 50)
Key Takeaways from Meeting Notes:
– A new campaign codenamed EastWind is targeting the Russian government and IT organizations, delivering backdoors and trojans through spear-phishing, including malware such as GrewApacha, CloudSorcerer, and PlugY.
– Various malware deployment methods are highlighted, such as the use of RAR archive attachments containing a Windows shortcut (LNK) file and DLL side-loading techniques.
– Communication with command-and-control servers is supported by PlugY using three different protocols, while GrewApacha uses an attacker-controlled GitHub profile as a dead drop resolver.
– The use of legitimate platforms like LiveJournal, Quora, Dropbox, Microsoft Graph, and Yandex Cloud is leveraged by CloudSorcerer and GrewApacha for initial C2 server communication.
– An encryption-based protection mechanism is utilized by CloudSorcerer to ensure malware detonation only on the victim’s computer.
– The campaign also involves a watering hole attack targeting a legitimate site related to gas supply in Russia, distributing a worm named CMoon, which can harvest confidential and payment data and launch DDoS attacks.
– CMoon, a worm written in .NET, monitors connected USB drives to steal files and copy itself to other computers. It collects data from various sources like web browsers, cryptocurrency wallets, instant messaging apps, and more.
This campaign appears to be sophisticated, utilizing a range of malware and tactics to conduct cyber espionage and data theft. The use of legitimate platforms for communication and the incorporation of a watering hole attack demonstrate the attackers’ strategic approach to infiltrating and compromising targeted systems.