China-linked cyber-spies infect Russian govt, IT sector

Cyber-spies suspected of connections with China have infected "dozens" of computers belonging to Russian government agencies and IT providers with backdoors and trojans since late July, according to Kaspersky.

The Russia-based security biz claimed the malware used in the ongoing, targeted attacks – dubbed EastWind – has links to two China-nexus groups tracked as APT27 and APT31. 

After gaining initial access to their victims' devices via phishing emails, the attackers used various cloud services and sites including GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk to direct their remote-control malware to download additional payloads onto compromised computers. Those services were effectively used as command-and-control (C2) servers.

These phishing emails sent RAR archive attachments containing a Windows shortcut along with a decoy document and both legitimate and malicious files to organizations' email addresses. These include malicious libraries that use DLL sideloading to drop a backdoor that then begins communicating with Dropbox.

Once it establishes contact with the cloud storage service, the backdoor fetches instructions from its masters, executes commands, conducts reconnaissance, and downloads additional malware. The malware includes a trojan – previously linked to APT31 during a 2021 and 2023 campaign – that Kaspersky named "GrewApacha."

This particular version of GrewApacha uses the same loader spotted in 2023, but now uses two C2 servers. It also uses a GitHub profile bio to obfuscate the C2 server address, which is stored in a Base64-encoded string.

In addition to the GrewApacha trojan, the attackers also downloaded the CloudSorcerer backdoor. Kaspersky previously reported on this malware in July, and noted that since that time the attackers have modified it to use profile pages on the Russian-language social network LiveJournal and the question/answer website Quora as the initial C2 servers.

CloudSorcerer, while deployed against Russian organizations in this particular campaign, was also spotted in a late May attack against a US-based org, according to Proofpoint.

• Russian cyber snoops linked to massive credential-stealing campaign
• Belgium says Chinese cyber gangs attacked its government and military
• Stifling Beijing in cyberspace is now British intelligence's number-one mission
• Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review

In analyzing the updated CloudSorcerer samples, the threat hunters discovered that the criminals were using this backdoor to download a previously unknown implant they dubbed PlugY. 

This implant connects to the C2 server via TCP, UDP, or named pipes, and can handle a "quite extensive" set of commands, we're told. This includes manipulating files, executing shell commands, logging keystrokes, monitoring screens and snooping around clipboards.

"Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it," Kaspersky's researchers wrote this week. 

The DRBControl backdoor has been linked to APT27.

And Kaspersky observed that the fact the EastWind campaign used malware with similarities to samples used by both APT27 and APT29 "clearly shows" that nation-state backed crews "very often team up, actively sharing knowledge and tools." ®

PS: Last week we noted Iranian cyber-crews were stepping up attempts to stick their oar into this year's US elections. Now Google says it's seen Iran-backed teams targeting people on the Republican and Democrat campaigns, among others including the Israeli military.