Russian state organizations and key industrial players have fallen victim to a meticulously orchestrated cyber espionage campaign.
Based on a report by Bleeping Computer, the attackers leveraged a custom Go-based backdoor, which not only infiltrates the target systems but also engages in data theft, making it a potent tool in cyber espionage.
Kaspersky Gives Glimpses to the Campaign
The first traces of this cyber campaign were unearthed by Kaspersky in June 2023. Notably, in mid-August, the cybersecurity experts detected a newer version of the backdoor, characterized by enhanced evasion tactics. This evolution indicates that the threat actors behind the campaign are actively optimizing their attack strategies to elude detection.
In connection with this, the identity and motives of the threat actors behind this campaign remain shrouded in mystery. Kaspersky, however, was able to share indicators of compromise (IoCs) that can assist cybersecurity defenders in countering these attacks.
Related Article: Akira Ransomware Steals Personal Information of Employees; BHI Energy Explains About the Attack
Malicious ARJ Archives: The Entry Point
The attack commences with a malicious ARJ archive delivered via email. This archive is deceptively named 'finansovyy_kontrol_2023_180529.rar' (financial control) and is a Nullsoft archive executable.
Inside the archive, a decoy PDF document serves to distract the victim, while an NSIS script is responsible for fetching the primary payload from an external URL, subsequently launching it.
The malicious payload is deposited at 'C:ProgramDataMicrosoftDeviceSync' under the name 'UsrRunVGA.exe.'
Kaspersky's investigation uncovered that the same phishing wave disseminated two additional backdoors, 'Netrunner' and 'Dmcserv.' Although these share similarities with the initial malware, they exhibit distinct command and control (C2) server configurations.
The executed script deploys the malicious executables covertly and establishes a Start Menu link to ensure persistence.
How the Backdoor Functions
The Go-based backdoor boasts a formidable array of capabilities:
File and folder listing in a designated directory.
File exfiltration to the C2 server.
Extraction of clipboard contents.
Capture of desktop screenshots.
Scouring the disk for files with specific extensions (e.g., .doc, .docx, .pdf, .xls, .xlsx) and transferring them to the C2 server.
To thwart network monitoring solutions, all data transmitted to the C2 server undergoes AES encryption. Furthermore, the malware employs checks for username, system name, and directory to identify virtualized environments and terminates execution if detected. The results of these checks contribute to victim profiling.
Stealthy Password Hunter
In the August iteration, Kaspersky observed a fresh variant of the backdoor that introduced subtle but significant changes. It streamlined preliminary checks and incorporated new functionality geared towards pilfering user passwords.
This evolved version encompasses a module designed to target and extract user passwords stored in 27 web browsers and the Thunderbird email client. The targeted browsers include Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex, a trusted browser in the Russian context.
To enhance security, the new variant features an updated AES key and the incorporation of RSA asymmetric encryption to safeguard client-C2 command and parameter communication.