This article discusses a sophisticated backdoor targeting various large organizations in Russia’s government, finance, and industrial sectors, using a compromised ViPNet software update mechanism. The analysis details the backdoor’s operation, malware execution, and emphasizes the necessity for enhanced multi-layered security to combat such advanced persistent threats. Affected: Russia (government, finance, industrial sectors)
Keypoints :
- A sophisticated backdoor was discovered targeting organizations in Russia.
- The attack is linked to compromised ViPNet network software updates.
- The malware was distributed within LZH archives mimicking legitimate updates.
- The backdoor allows attackers to connect to a C2 server and steal files.
- Multi-layered security strategies are crucial in preventing such cyber threats.
- Kaspersky products provide protective measures against these types of attacks.
MITRE Techniques :
- Path Substitution (T1030): The legitimate executable lumpdiag.exe is used as a vector to execute the malicious msinfo32.exe via subversion of the command line arguments.
- Data from Local System (T1005): The malicious executable msinfo32.exe retrieves an encrypted payload from the archive.
- Command and Control (T1071): The backdoor can establish a TCP connection to a command and control server for exfiltration of data.
Indicator of Compromise :
- [File Hash] SHA-256: 018AD336474B9E54E1BD0E9528CA4DB528AC759E6662A4B4BE3E5BA7CFB6220477DA0829858178CCFC2C0A5313E327C1A5B31B22E41100EB9D0B9A27B9B2D8EFE6DB606FA2B7E9D58340DF14F65664B8
- [File Path] %TEMP%update_tmp*updatemsinfo32.exe
- [File Path] %PROGRAMFILES%common filesinfotecsupdate_tmpdriv_**msinfo32.exe
- [File Path] %PROGRAMFILESx86%InfoTeCSViPNet Coordinatorcccupdate_tmpDRIV_FSA*msinfo32.exe
Full Story: https://securelist.com/new-backdoor-mimics-security-software-update/116246/