Article Details
Scrape Timestamp (UTC): 2023-10-24 19:49:17.913
Original Article Text
Click to Toggle View
Hackers backdoor Russian state, industrial orgs for data theft. Several state and key industrial organizations in Russia were attacked with a custom Go-based backdoor that performs data theft, likely aiding espionage operations. Kaspersky first detected the campaign in June 2023, while in mid-August, the cybersecurity firm spotted a newer version of the backdoor that introduced better evasion, indicating ongoing optimization of the attacks. The threat actors responsible for this campaign are unknown, and Kaspersky was limited to sharing indicators of compromise that can help defenders thwart the attacks. Malicious ARJ archives The attack begins with an email carrying a malicious ARJ archive named 'finansovyy_kontrol_2023_180529.rar' (financial control), which is a Nullsoft archive executable. The archive contains a decoy PDF document used for distracting the victim and an NSIS script that fetches the primary payload from an external URL address (fas-gov-ru[.]com) and launches it. The malware payload is dropped at 'C:\ProgramData\Microsoft\DeviceSync\' as 'UsrRunVGA.exe.' Kaspersky says the same phishing wave distributed two more backdoors named 'Netrunner' and 'Dmcserv.' These are the same malware with different C2 (command and control) server configurations. The script launches the malicious executables in a hidden window and adds a Start Menu link to establish persistence. The functionality of the backdoor includes the following: All data sent to the C2 server is first AES encrypted to evade detection from network monitoring solutions. To evade analysis, the malware performs username, system name, and directory checks to detect if it's running in a virtualized environment and exits if it does. The results of these checks are sent to the C2 in the initial phase of the infection to be used for victim profiling. New version steals passwords In mid-August, Kaspersky noticed a new variant of the backdoor that featured minor changes like the removal of some noisy preliminary checks and the addition of new file-stealing capabilities. Most notably, the new version adds a module that targets user passwords stored in 27 web browsers and the Thunderbird email client. Browsers targeted by the latest backdoor version include Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex, a popular and trusted browser in Russia. The AES key has been refreshed in this malware version, and RSA asymmetric encryption has been added to protect client-C2 command and parameter communications.
Daily Brief Summary
State and key industrial organizations in Russia were attacked using a custom-built Go-based backdoor that supports data theft and espionage activities. Cybersecurity firm Kaspersky first detected the activities in June 2023.
An advanced version of the backdoor, with improved evasion abilities, was spotted by Kaspersky mid-August, implying the ongoing enhancement of the attacks.
The attack starts through an email carrying a malicious Nullsoft archive executable disguised as 'financial control'. It further contains a decoy PDF document and an NSIS script that launches the malware payload from an external URL.
Two additional backdoors, 'Netrunner' and 'Dmcserv', released in the same phishing wave had different command and control server configurations.
To resist detection, the malware encrypts all data sent to the command and control server and performs checks to detect if it's being run in a virtual environment.
A new version of the backdoor released in mid-August exhibits file-stealing capabilities, targeting user passwords stored in 27 web browsers and the Thunderbird email client. This version uses updated encryption and employs RSA asymmetric encryption for added security.