Kaspersky researchers detail a wave of targeted attacks, first observed in January of 2022, on military industrial complex enterprises and public institutions in several countries, identifying multiple attacks. The attackers breached the networks of dozens of enterprises, taking control and evading security solutions. They determined that cyberespionage was the goal of these attacks.
- The attacks used phishing emails, some of which used information that is specific to the organization under attack and is not publicly available. This could indicate that the attackers did preparatory work in advance
- A new version of PortDoor was identified in the course of our research. PortDoor collects general information on the infected system and sends it to the malware command-and-control (CnC) server. In cases where an infected system is of interest to the attackers, they use the PortDoor functionality to control the system remotely and install additional malware.
- The attackers used five different backdoors at the same time – probably to set up redundant communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution.
- Of the six backdoors identified on infected systems, five (PortDoor, nccTrojan, Logtu, Cotx, and DNSep) have been used earlier in attacks attributed by other researchers to APT TA428. The sixth backdoor is new and has not been observed in other attacks.
- The attackers used DLL hijacking and process hollowing techniques extensively in the attack to prevent security software from detecting the malware.
- The attackers compressed stolen files into encrypted and password-protected ZIP archives. After receiving the data collected, the stage one CnC servers forwarded the archives received to a stage two server located in China.
- The research identified malware and CnC servers previously used in attacks attributed by other researchers to TA428 APT group.