Security

Research

China-linked cyber-spies infect Russian govt, IT sector

No, no, go ahead, don't let us stop you, Xi


Cyber-spies suspected of connections with China have infected "dozens" of computers belonging to Russian government agencies and IT providers with backdoors and trojans since late July, according to Kaspersky.

The Russia-based security biz claimed the malware used in the ongoing, targeted attacks – dubbed EastWind – has links to two China-nexus groups tracked as APT27 and APT31. 

After gaining initial access to their victims' devices via phishing emails, the attackers used various cloud services and sites including GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk to direct their remote-control malware to download additional payloads onto compromised computers. Those services were effectively used as command-and-control (C2) servers.

These phishing emails sent RAR archive attachments containing a Windows shortcut along with a decoy document and both legitimate and malicious files to organizations' email addresses. These include malicious libraries that use DLL sideloading to drop a backdoor that then begins communicating with Dropbox.

Once it establishes contact with the cloud storage service, the backdoor fetches instructions from its masters, executes commands, conducts reconnaissance, and downloads additional malware. The malware includes a trojan – previously linked to APT31 during a 2021 and 2023 campaign – that Kaspersky named "GrewApacha."

This particular version of GrewApacha uses the same loader spotted in 2023, but now uses two C2 servers. It also uses a GitHub profile bio to obfuscate the C2 server address, which is stored in a Base64-encoded string.

In addition to the GrewApacha trojan, the attackers also downloaded the CloudSorcerer backdoor. Kaspersky previously reported on this malware in July, and noted that since that time the attackers have modified it to use profile pages on the Russian-language social network LiveJournal and the question/answer website Quora as the initial C2 servers.

CloudSorcerer, while deployed against Russian organizations in this particular campaign, was also spotted in a late May attack against a US-based org, according to Proofpoint.

In analyzing the updated CloudSorcerer samples, the threat hunters discovered that the criminals were using this backdoor to download a previously unknown implant they dubbed PlugY. 

This implant connects to the C2 server via TCP, UDP, or named pipes, and can handle a "quite extensive" set of commands, we're told. This includes manipulating files, executing shell commands, logging keystrokes, monitoring screens and snooping around clipboards.

"Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it," Kaspersky's researchers wrote this week. 

The DRBControl backdoor has been linked to APT27.

And Kaspersky observed that the fact the EastWind campaign used malware with similarities to samples used by both APT27 and APT29 "clearly shows" that nation-state backed crews "very often team up, actively sharing knowledge and tools." ®

PS: Last week we noted Iranian cyber-crews were stepping up attempts to stick their oar into this year's US elections. Now Google says it's seen Iran-backed teams targeting people on the Republican and Democrat campaigns, among others including the Israeli military.

Send us news
17 Comments

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

3 CVEs added to CISA's catalog

Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases

Gee, wonder why Beijing is so keen on the – checks notes – Committee on Foreign Investment in the US

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says

China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says

We are only seeing 'the tip of the iceberg,' Easterly warns

FBI wipes Chinese PlugX malware from thousands of Windows PCs in America

Hey, Xi: Zài jiàn!

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed

Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed

Here's what $20 gets you these days

FireScam infostealer poses as Telegram Premium app to surveil Android devices

Once installed, it helps itself to your data like it's a free buffet

Charter, Consolidated, Windstream reportedly join China's Salt Typhoon victim list

Slow drip of compromised telecom networks continues

GoDaddy slapped with wet lettuce for years of lax security and 'several major breaches'

Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec tools