Researchers from Kaspersky have detected a series of ongoing targeted cyberattacks on dozens of computers at Russian government entities and IT organizations. The bad actors infected devices via phishing emails with malicious shortcut attachments.
These shortcuts were used to deliver malware that received commands via the popular cloud service Dropbox. Malicious actors used this malware to download additional payloads onto infected machines, in particular tools used by the APT31 group and an updated CloudSorcerer backdoor.
Kaspersky has named this campaign EastWind.
The security giant shared some interesting facts about the implants used in this campaign:
- APT31 has used the malware downloaded by the criminals from Dropbox for at least three years – Kaspersky dubbed it GrewApacha.
- The malefactors updated the CloudSorcerer backdoor, which Kaspersky discovered in May 2024. It currently uses LiveJournal (a popular Russian social network) and Quora profiles as initial command-and-control (C2) servers.
- The attacks also deploy a previously unknown implant with a classic backdoor functionality, which Kaspersky called PlugY. It is loaded via the CloudSorcerer backdoor and has an extensive command set. It also supports three different protocols for communicating with C2. Moreover, its code resembles the DRBControl backdoor (also known as Clambling), which a few entities attribute to the APT27 group.
Detecting Attacks
The implants pinpointed during the attack are significantly different from each other. As such, a separate set of indicators of compromise (IoCs) for each malware must be used in any incident.
Kaspersky says the backdoor that uses Dropbox and is delivered via email can be found by looking for DLL files larger than 5 MB and located in the directory C:\Users\Public. Regular access to the Dropbox cloud in network traffic could also indicate that this backdoor is in operation.
The GrewApacha Trojan can be identified by locating an unsigned file named msedgeupdate.dll on the file system, typically several megabytes.
The PlugY implant, delivered through the CloudSorcerer backdoor, triggers a msiexec.exe process for each user logged into the OS and generates named pipes with the template \.\PIPE\Y. The detection of these two indicators strongly suggests a system infection.
Deeply Sophisticated Toolkits
In attacks targeting public sector organizations, bad actors often deploy sophisticated toolkits that use a wide range of techniques and tactics. To conceal their malicious activity, they go to great lengths to disguise it within network traffic. For example, the attackers behind the EastWind campaign leveraged popular network services like GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk as C2 servers.
Interestingly, the EastWind campaign exhibited malware linked to two Chinese-speaking groups, APT27 and APT31. This highlights the frequent collaboration between APT groups that actively share knowledge and tools. To effectively counter these collaborations, we continuously monitor the tactics and techniques of APT groups worldwide.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.