August 12, 2024Ravie LakshmananCloud Security / Malware

Russian government and IT organizations have been targeted by a new campaign that delivers a number of backdoors and trojans as part of a spear-phishing campaign codenamed EastWind.

The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut (.lnk) file. When opened, the infection sequence is triggered, resulting in the deployment of malware such as GrewApacha, an updated version of the CloudSorcerer backdoor, and a so far undocumented implant called PlugY.

PlugY is “downloaded via the CloudSorcerer backdoor, has an extensive set of commands and supports three different protocols for communication with the command-and-control server,” according to Russian cybersecurity company Kaspersky.

The first infection vector uses a booby-trapped LNK file, which leverages DLL sideloading techniques to launch a malicious DLL file that Dropbox uses as a communication mechanism to execute reconnaissance commands and download additional payloads.

Among the malware deployed with the DLL is GrewApacha, a known backdoor previously associated with the China-linked APT31 group. Also launched with DLL sideloading, it uses an attacker-controlled GitHub profile as a dead drop resolver to store a Base64-encoded string from the actual C2 server.

CloudSorcerer, on the other hand, is an advanced cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. Similar to GrewApacha, the updated variant uses legitimate platforms such as LiveJournal and Quora as an initial C2 server.

“As with previous versions of CloudSorcerer, profile biographies contain an encrypted authentication token for communicating with the cloud service,” Kaspersky said.

Furthermore, it uses an encryption-based protection mechanism that ensures that the malware is only deployed on the victim’s computer. This is done using a unique key that is derived from the Windows GetTickCount() function at runtime.

The third malware family observed in the attacks is PlugY. This is a full-featured backdoor that connects to a management server via TCP, UDP, or named pipes. This backdoor has the ability to execute shell commands, monitor the device screen, log keystrokes, and capture clipboard contents.

According to Kaspersky, an analysis of PlugX’s source code has revealed similarities with a known backdoor called DRBControl (also known as Clambling), which has been attributed to threat clusters in the China region, namely APT27 and APT41.

“The attackers behind the EastWind campaign used popular network services as command servers – GitHub, Dropbox, Quora, but also Russian LiveJournal and Yandex Disk,” the company said.

Kaspersky also revealed details of a watering hole attack in which a legitimate site related to gas supplies in Russia was hacked to spread a worm called CMoon. This worm can collect confidential data and payment details, take screenshots, download additional malware, and perform distributed denial-of-service (DDoS) attacks on targets of interest.

The malware also collects files and data from various web browsers, cryptocurrency wallets, instant messaging apps, SSH clients, FTP software, video recording and streaming apps, authenticators, remote desktop tools, and VPNs.

“CMoon is a worm written in . NET, with broad functionality for data theft and remote control,” it said. “Immediately after installation, the executable starts monitoring connected USB drives. This allows you to steal files that might be of interest to attackers from removable media, copy a worm to them and infect other computers where the drive will be used.”