Several state and key industrial organizations in Russia were attacked with a custom Go-based backdoor that performs data theft, likely aiding espionage operations. Kaspersky first detected the campaign in June 2023, while in mid-August, the cybersecurity firm spotted a newer version of the backdoor that introduced better evasion, indicating ongoing optimization of the attacks. The threat actors responsible for this campaign are unknown, and Kaspersky was limited to sharing indicators of compromise that can help defenders thwart the attacks. The attack begins with an email carrying a malicious ARJ archive named 'finansovyy kontrol 2023 180529. The malware payload is dropped at 'C:ProgramDataMicrosoftDeviceSync' as 'UsrRunVGA.exe. Kaspersky says the same phishing wave distributed two more backdoors named 'Netrunner' and 'Dmcserv. ' These are the same malware with different C2 server configurations. The script launches the malicious executables in a hidden window and adds a Start Menu link to establish persistence. Transfer files from the host to the C2. Obtain clipboard contents. Search disk for files of specific extensions and transfer them to the C2. All data sent to the C2 server is first AES encrypted to evade detection from network monitoring solutions. To evade analysis, the malware performs username, system name, and directory checks to detect if it's running in a virtualized environment and exits if it does. The results of these checks are sent to the C2 in the initial phase of the infection to be used for victim profiling. In mid-August, Kaspersky noticed a new variant of the backdoor that featured minor changes like the removal of some noisy preliminary checks and the addition of new file-stealing capabilities. Most notably, the new version adds a module that targets user passwords stored in 27 web browsers and the Thunderbird email client. Browsers targeted by the latest backdoor version include Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex, a popular and trusted browser in Russia. The AES key has been refreshed in this malware version, and RSA asymmetric encryption has been added to protect client-C2 command and parameter communications. Discord still a hotbed of malware activity - Now APTs join the fun. New stealthy and modular Deadglyph malware used in govt attacks. New 'MetaStealer' malware targets Intel-based macOS systems. Russian Sandworm hackers breached 11 Ukrainian telcos since May. Women Political Leaders Summit targeted in RomCom malware phishing.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000