Threat Research

State-Sponsored APT Groups Launch Advanced Malware Attacks on Russian Government and IT Companies

Securonix

APT groups targeting Russian government agencies and IT firms are deploying increasingly sophisticated malware campaigns, signaling elevated cyber-espionage tensions. Notable operations include EastWind, CloudSorcerer, GrewApacha, and CMoon, which employ data harvesting, backdoors, cloud-based C2, and DLL-side loading techniques. #CMoon #GrewApacha #EastWind #CloudSorcerer #PlugX #DRBControl #Clambling

Keypoints

  • Surge in Cyberattacks: Increased attacks on Russian government and IT sectors by APT groups.
  • Malware Complexity: Use of advanced malware techniques for execution and persistence.
  • CMoon Malware: Notable for data harvesting and spreading via USB drives.
  • EastWind Campaign: Spear-phishing with backdoors for remote control and data exfiltration.
  • CloudSorcerer APT: New actor utilizing cloud services for command and control.
  • GrewApacha Malware: Exploits DLL side-loading and Base64-encoded strings for backdoor remote control.
  • Need for Enhanced Security: Emphasis on improving cybersecurity measures and intelligence sharing.

MITRE Techniques

  • [T1566.001] Initial Access – Spear-phishing via attachments – Brief description of how it was used. Quote: [“Spear-phishing via attachments”]
  • [T1059.003] Execution – Command and Scripting Interpreter — Windows Command Shell – Brief description of how it was used. Quote: [“Command and Scripting Interpreter — Windows Command Shell”]
  • [T1574.002] DLL Side-Loading – Persistence via loading a malicious DLL – Brief description of how it was used. Quote: [“DLL Side-Loading”]
  • [T1548] Privilege Escalation – Abuse Elevation Control Mechanism – Brief description of how it was used. Quote: [“Abuse Elevation Control Mechanism”]
  • [T1027] Defense Evasion – Obfuscated Files or Information – Brief description of how it was used. Quote: [“Obfuscated Files or Information”]
  • [T1218] Defense Evasion – Signed Binary Proxy Execution – Brief description of how it was used. Quote: [“Signed Binary Proxy Execution”]
  • [T1056.001] Credential Access – Input Capture — Keylogging – Brief description of how it was used. Quote: [“Input Capture — Keylogging”]
  • [T1082] Discovery – System Information Discovery – Brief description of how it was used. Quote: [“System Information Discovery”]
  • [T1021] Lateral Movement – Remote Services – Brief description of how it was used. Quote: [“Remote Services”]
  • [T1573] Command and Control – Encrypted Channel – Brief description of how it was used. Quote: [“Encrypted Channel”]
  • [T1102.001] Command and Control – Web Service – Brief description of how it was used. Quote: [“Web Service”]
  • [T1047] Windows Management Instrumentation – Brief description of how it was used. Quote: [“Checks if an Antivirus program is installed by querying system information.”]
  • [T1106] Native API – Brief description of how it was used. Quote: [“Involves interacting with the native OS application programming interface (API) to execute various behaviors.”]
  • [T1129] Shared Modules – Brief description of how it was used. Quote: [“Manipulates or exploits shared components by linking functions at runtime on Windows.”]

Indicators of Compromise

  • [IP Address] C2 communications – 93.185.167.95:9899, 40.126.32.133, and other listed addresses
  • [Domain] DNS and C2 domains – t-ring-fdv2.msedge.net, www.pornhub.com, a-ring-fallback.msedge.net, fp-afd-nocache-ccp.azureedge.net
  • [File Hash] Hash values – 132404f2b1c1f5a4d76bd38d1402bdfa, and 2 more hashes
  • [SHA-1] SHA-1 – 661a1494b20668b9189c569aa1bfdcc89d9eebab
  • [SHA-256] SHA-256 – a4be526be5359ad2981f439457fe652895731ad56c10c113c22a7836a9591e5d
  • [Authentihash] Authenticity hash – b5ca2f40363bef36494290e4ba8f4afbbd683756316fe931beec5095ac09cb55
  • [Imphash] Imphash – f34d5f2d4577ed6d9ceec516c1f5a744
  • [SSDEEP] SSDEEP – 6144:T924EnKpu9oQsiHQ+ZSrj8lhxWqyozbe/aYusDf6e2yG:UIu9osHnZvCoza/aYu4CepG
  • [TLSH] TLSH – T15F748D5D729D4F26CBD82E30E0AF001917B2F652A337F34B3A9961916C03376A9C57E5
  • [File Name] Known filenames – build.exe_exe, P23ec64f1b8ebfb64749639d2d2a4085b294c99.exe, rf03371ed1100c4bc7d0bf7357bb33342.exe, ytxostao.dat, file.dat
  • [HTTP URL] Known URLs – http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D, http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D, http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D

Read more: https://medium.com/@jazkiller2432/state-sponsored-apt-groups-target-russian-government-and-it-firms-with-sophisticated-malware-3a8df40cb0e2

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint