At the beginning of 2022, Kaspersky Lab experts recorded a wave of targeted attacks aimed at defense enterprises and government institutions in Afghanistan, Russia, and a number of countries in Eastern Europe. Researchers believe that this is the work of the Chinese group TA 428.
In total, during the investigation, experts identified attacks on more than a dozen organizations, and also discovered the use of new modifications of previously known backdoors. Presumably, the goal of the attackers in this campaign was cyber espionage, and the researchers say that in some cases the attackers managed to completely capture the IT infrastructure of the targets.
The report highlights that all of the identified victims are either related to the defense industry or are government agencies. So, the targets of the attack were factories, design bureaus and research institutes, government agencies, ministries and departments of several countries of Eastern Europe (Belarus, Russia, Ukraine), as well as Afghanistan.
For attacks, hackers used well-prepared phishing emails. They contained inside information that was not available in public sources at the time of its use by attackers, including the names of employees working with confidential information, and internal code names of projects.
Phishing emails were accompanied by Microsoft Word documents with malicious code exploiting the old vulnerability CVE-2017-11882. It allows executing arbitrary code and seizing control over the infected system without any additional actions on the part of the user, he is not even required to enable macro execution. In the studied attacks, the main module of the PortDoor malware, previously described by Cybereason specialists, was used to compromise.
As the main tool for developing attacks, the attackers used the Ladon utility with the ability to scan the network, find and exploit vulnerabilities, and steal passwords. At the final stage, they captured the domain controller and received full control over the workstations and servers of the organization that are of interest to attackers.
Having received all the necessary rights, the attackers began to search for and upload files containing confidential data to their servers deployed in different countries of the world. The same servers were used to manage the malware.
The attackers placed the stolen files in encrypted, password-protected ZIP archives. After receiving the collected data, the first-level control servers forwarded the received archives to the second-level control server located in China.
It is noted that during the attack, hackers actively used dll hijacking and process hollowing techniques to counteract malware detection by security software, and in addition to Ladon and PortDoor, this campaign used an improved version of the nccTrojan trojan, as well as the Cotx and DNSep backdoors already known to specialists, and the new malware CotSam .