APT37 Targets Windows with Rust Backdoor and Python Loader

MITRE Techniques

• [T1566.001 ] Phishing: Spearphishing Attachment – The threat actor delivers a malicious archive file to victims via spear phishing. Quote: ‘The threat actor delivers a malicious archive file to victims via spear phishing.’
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Windows commands are launched by the CHM file when Chinotto is delivered. Quote: ‘The Windows commands are launched by the CHM file when the Chinotto malware is delivered to the victim.’
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – The JavaScript embedded HTA file is launched at the initial stage of the infection. Quote: ‘The JavaScript embedded HTA file is launched at the initial stage of the infection.’
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – A Windows Task Scheduler entry named MicrosoftUpdate was created for persistence using a malicious shortcut file. Quote: ‘A Windows Task Scheduler entry named MicrosoftUpdate was created for persistence using a malicious shortcut file.’
• [T1204.001 ] User Execution: Malicious Link – The malicious Windows shortcut file was delivered to the victim. Quote: ‘The malicious Windows shortcut file was delivered to the victim.’
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The malicious CHM file creates a Run registry named OnedriveStandaloneUpdater for persistence. Quote: ‘The malicious CHM file creates a Run registry named OnedriveStandaloneUpdater for persistence.’
• [T1055.013 ] Process Injection: Process Doppelgänging – Using Python code, the malware injects malicious code into the legitimate process using Windows Transactional NTFS (TxF). Quote: ‘Using Python code, the malware injects malicious code into the legitimate process using Windows Transactional NTFS (TxF).’
• [T1036.003 ] Masquerading: Rename Legitimate Utilities – The legitimate Python module was renamed as tele_update.exe. Quote: ‘The legitimate Python module was renamed as tele_update.exe.’
• [T1036.004 ] Masquerading: Masquerade Task or Service – The malware creates services or registry keys that impersonate legitimate services, such as OneDrive or Windows Update. Quote: ‘The malware creates Windows services or registry keys that impersonate legitimate services, such as OneDrive or Windows Update.’
• [T1218.005 ] System Binary Proxy Execution: Mshta – The malware exploits mshta.exe to execute malicious .hta files as a proxy. Quote: ‘The malware exploits mshta.exe to execute malicious .hta files as a proxy.’
• [T1056.001 ] Input Capture: Keylogging – FadeStealer collects the user’s key strokes. Quote: ‘FadeStealer collects the user’s key strokes.’
• [T1113 ] Screen Capture – FadeStealer takes screenshots of the victim’s screen. Quote: ‘FadeStealer takes screenshots of the victim’s screen.’
• [T1123 ] Audio Capture – FadeStealer records microphone audio. Quote: ‘FadeStealer records microphone audio.’
• [T1025 ] Data from Removable Media – FadeStealer collects files from connected removable media devices. Quote: ‘FadeStealer collects files from connected removable media devices.’
• [T1560.001 ] Archive Collected Data: Archive via Utility – FadeStealer uses an embedded RAR utility to collect and compress data for exfiltration. Quote: ‘FadeStealer uses an embedded RAR utility to collect and compress data for exfiltration.’
• [T1071.001 ] Application Layer Protocol: Web Protocols – Rustonotto, Chinotto, and FadeStealer use HTTP communication for backdoor operations. Quote: ‘Rustonotto, Chinotto, and FadeStealer use HTTP communication for backdoor operations.’
• [T1132.001 ] Data Encoding: Standard Encoding – Rustonotto and Chinotto use Base64 encoding when sending data. Quote: ‘Rustonotto and Chinotto use Base64 encoding when sending data.’
• [T1041 ] Exfiltration Over C2 Channel – FadeStealer exfiltrates collected data through the C2 channel. Quote: ‘FadeStealer exfiltrates collected data through the C2 channel.’