Security

Research

China-linked cyber-spies infect Russian govt, IT sector

No, no, go ahead, don't let us stop you, Xi


Cyber-spies suspected of connections with China have infected "dozens" of computers belonging to Russian government agencies and IT providers with backdoors and trojans since late July, according to Kaspersky.

The Russia-based security biz claimed the malware used in the ongoing, targeted attacks – dubbed EastWind – has links to two China-nexus groups tracked as APT27 and APT31. 

After gaining initial access to their victims' devices via phishing emails, the attackers used various cloud services and sites including GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk to direct their remote-control malware to download additional payloads onto compromised computers. Those services were effectively used as command-and-control (C2) servers.

These phishing emails sent RAR archive attachments containing a Windows shortcut along with a decoy document and both legitimate and malicious files to organizations' email addresses. These include malicious libraries that use DLL sideloading to drop a backdoor that then begins communicating with Dropbox.

Once it establishes contact with the cloud storage service, the backdoor fetches instructions from its masters, executes commands, conducts reconnaissance, and downloads additional malware. The malware includes a trojan – previously linked to APT31 during a 2021 and 2023 campaign – that Kaspersky named "GrewApacha."

This particular version of GrewApacha uses the same loader spotted in 2023, but now uses two C2 servers. It also uses a GitHub profile bio to obfuscate the C2 server address, which is stored in a Base64-encoded string.

In addition to the GrewApacha trojan, the attackers also downloaded the CloudSorcerer backdoor. Kaspersky previously reported on this malware in July, and noted that since that time the attackers have modified it to use profile pages on the Russian-language social network LiveJournal and the question/answer website Quora as the initial C2 servers.

CloudSorcerer, while deployed against Russian organizations in this particular campaign, was also spotted in a late May attack against a US-based org, according to Proofpoint.

In analyzing the updated CloudSorcerer samples, the threat hunters discovered that the criminals were using this backdoor to download a previously unknown implant they dubbed PlugY. 

This implant connects to the C2 server via TCP, UDP, or named pipes, and can handle a "quite extensive" set of commands, we're told. This includes manipulating files, executing shell commands, logging keystrokes, monitoring screens and snooping around clipboards.

"Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it," Kaspersky's researchers wrote this week. 

The DRBControl backdoor has been linked to APT27.

And Kaspersky observed that the fact the EastWind campaign used malware with similarities to samples used by both APT27 and APT29 "clearly shows" that nation-state backed crews "very often team up, actively sharing knowledge and tools." ®

PS: Last week we noted Iranian cyber-crews were stepping up attempts to stick their oar into this year's US elections. Now Google says it's seen Iran-backed teams targeting people on the Republican and Democrat campaigns, among others including the Israeli military.

Send us news
17 Comments

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

ShinyHunters-linked heist thought to have been ongoing since March

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more