A number of state and key industrial organizations in Russia had been attacked with a customized Go-based backdoor that performs information theft, doubtless aiding espionage operations.
Kaspersky first detected the marketing campaign in June 2023, whereas in mid-August, the cybersecurity agency noticed a more moderen model of the backdoor that launched higher evasion, indicating ongoing optimization of the assaults.
The risk actors answerable for this marketing campaign are unknown, and Kaspersky was restricted to sharing indicators of compromise that may assist defenders thwart the assaults.
Malicious ARJ archives
The assault begins with an e-mail carrying a malicious ARJ archive named ‘finansovyy_kontrol_2023_180529.rar’ (monetary management), which is a Nullsoft archive executable.
The archive accommodates a decoy PDF doc used for distracting the sufferer and an NSIS script that fetches the first payload from an exterior URL tackle (fas-gov-ru[.]com) and launches it.
The malware payload is dropped at ‘C:ProgramDataMicrosoftDeviceSync’ as ‘UsrRunVGA.exe.’
Supply: Kaspersky
Kaspersky says the identical phishing wave distributed two extra backdoors named ‘Netrunner’ and ‘Dmcserv.’ These are the identical malware with completely different C2 (command and management) server configurations.
The script launches the malicious executables in a hidden window and provides a Begin Menu hyperlink to ascertain persistence.
Supply: Kaspersky
The performance of the backdoor contains the next:
- Record recordsdata and folders in a specified listing.
- Switch (exfiltrate) recordsdata from the host to the C2.
- Acquire clipboard contents.
- Seize desktop screenshots.
- Search disk for recordsdata of particular extensions (.doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .zip, .rar, .7z, .odt, .ods, .kdbx, .ovpn, .pem, .crt, .key) and switch them to the C2.
All information despatched to the C2 server is first AES encrypted to evade detection from community monitoring options.
To evade evaluation, the malware performs username, system title, and listing checks to detect if it is operating in a virtualized atmosphere and exits if it does.
The outcomes of those checks are despatched to the C2 within the preliminary part of the an infection for use for sufferer profiling.
Supply: Kaspersky
New model steals passwords
In mid-August, Kaspersky observed a brand new variant of the backdoor that featured minor modifications just like the removing of some noisy preliminary checks and the addition of latest file-stealing capabilities.
Most notably, the brand new model provides a module that targets person passwords saved in 27 internet browsers and the Thunderbird e-mail consumer.
Browsers focused by the most recent backdoor model embrace Chrome, Firefox, Edge, Opera, Courageous, Vivaldi, and Yandex, a well-liked and trusted browser in Russia.
The AES key has been refreshed on this malware model, and RSA uneven encryption has been added to guard client-C2 command and parameter communications.
