Threat Research

Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage

Securonix

APT31 renewed its attacks on Russian media and energy companies by leveraging a malicious document that loads a VMProtect-packed payload, linking the activity to the APT31 toolkit. The campaign uses cloud storage services (notably Yandex.Disk) as C2 to blend in with legitimate traffic, with ties to earlier APT31 toolkits and a history of using cloud services like Dropbox.

Keypoints

  • Targets include Russian media and energy companies, with infections starting from documents like «list.docx» in 2022.
  • Template Injection and DLL Side-Loading are used to download and load malicious components from remote servers.
  • Malware families YaRAT and Stealer0x3401 are described, with YaRAT employing Yandex.Disk as C2 and Stealer0x3401 focusing on RC4/Base64 data handling.
  • Two YaRAT variants exist: one with token encryption inside the program, and one without; both involve VMProtect-based protection in some samples.
  • Cloud-based C2 infrastructure includes Yandex.Disk (and historically Dropbox), illustrating a shift to legitimate services to evade network defenses.
  • IOCs include specific DLLs, executables, and domain indicators; the campaign is attributed to APT31 based on code and infrastructure similarities.
  • MITRE-aligned techniques span Initial Access, Execution, Persistence, Defense Evasion, Collection, Command and Control, and Exfiltration.

MITRE Techniques

  • [T1566] Phishing – Execution – Brief description of how it was used. “APT31 sends phishing messages to gain access to victim systems”
  • [T1204] User Execution – Execution – Brief description of how it was used. “APT31 sends MS Word documents containing malicious components”
  • [T1587.001] Malware – Resource Development – Brief description of how it was used. “APT31 develops malware and malware components that can be used during targeting”
  • [T1587.002] Develop Capabilities: Code Signing Certificates – Resource Development – Brief description of how it was used. “APT31 uses code signing to sign their malware and tools”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence – Brief description of how it was used. “APT31 achieves persistence by adding a program to a Registry run key”
  • [T1574] Hijack Execution Flow – Persistence – Brief description of how it was used. “APT31 executes their own malicious payloads by hijacking the way operating systems run programs”
  • [T1140] Deobfuscate/Decode Files or Information – Defense Evasion – Brief description of how it was used. “APT31 uses mechanisms to decode or deobfuscate information”
  • [T1036] Masquerading – Defense Evasion – Brief description of how it was used. “APT31 manipulates features of their artifacts to make them appear legitimate to users”
  • [T1112] Modify Registry – Defense Evasion – Brief description of how it was used. “APT31 team uses the Windows registry for persistence”
  • [T1027] Obfuscated Files or Information – Defense Evasion – Brief description of how it was used. “APT31 uses encryption to make it difficult to detect or analyze an executable file”
  • [T1560] Archive Collected Data – Collection – Brief description of how it was used. “APT31 tools encrypted the collected data before sending it to the servers”
  • [T1001] Data Obfuscation – Command and Control – Brief description of how it was used. “APT31 obfuscates command and control traffic to make it more difficult to detect”
  • [T1095] Non-Application Layer Protocol – Command and Control – Brief description of how it was used. “APT31 group used SSL for data transmission”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Command and Control – Brief description of how it was used. “APT31 used symmetric encryption algorithms to hide transmitted data”
  • [T1132.001] Data Encoding: Standard Encoding – Command and Control – Brief description of how it was used. “APT31 group used RC4 and Base64 to hide transmitted data”
  • [T1132.002] Data Encoding: Non-Standard Encoding – Command and Control – Brief description of how it was used. “The APT31 group used custom encryption key obfuscation algorithms as well as payload encryption”
  • [T1102] Web Service – Command and Control – Brief description of how it was used. “APT31 group used Yandex.Disk as C&C”
  • [T1020] Automated Exfiltration – Exfiltration – Brief description of how it was used. “APT31 uses automatic exfiltration of stolen files”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration – Brief description of how it was used. “APT31 uses C&C channel to exfiltrate data”

Indicators of Compromise

  • [File name] msvcr100.dll – context: loaded as part of the DLL side-loading chain; example hashes listed in IoC table (MD5: 5897e67e491a9d8143f6d45803bc8ac8, SHA-256: 8148aeef6995c99c6f93ebce65b60bf57109914c45aa86d26a5cdc6ad8bba634)
  • [File name] – payload_1.bin – context: sample payload file used in campaigns (MD5: 176d11c9bafac6153f728d8afb692f6f, SHA-256: ea9429fa66ba14b99ff756b8497ccbd3403437d4150eaed6c5c0fe4a3cdf78a8)
  • [File name] Анкета по результатам тестирования.doc – context: IoC file in table (MD5: 85f8bfb3b859a35e342e35d7c35e8746, SHA-256: a56003dc199224113e9c85b0edb2197d4a4af91b15e7d0710873e2ef848c3221)
  • [File name] О заседании.doc – context: IoC file in table (MD5: 0c993a406be04b806222a130fb5a18e8, SHA-256: 256d3065de2345a6beff9458ad0b519bed8363ac0b984247768bd788e633e371)
  • [File name] WINHTTP.dll – context: listed as malicious library (MD5: dfaa28a53310a43031e406ff927a6866, SHA-256: 4a5e9ab0e65e08ceb2adb2d150abb620684e98d79483b6c9f786c56c95fea573)
  • [Domain] ramblercloud.com – context: C2 domain used by YaRAT
  • [Domain] yandexpro.net – context: domain used in C2 infrastructure
  • [Domain] portal.super-encrypt.com – context: network indicator observed in traffic
  • [Domain] intranet-rsnet.com – context: network indicator observed in traffic

Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/