In the spring of this year, Positive Technologies specialists detected an attack on a number of Russian organizations (media and energy companies) using a malicious document. An analysis of the malware used showed that the Chinese group APT31 is behind these attacks.
In both campaigns, identical code fragments were recorded that receive information about network adapters and collect data about the infected system, the “stubs” in the documents had a clear similarity, and cloud servers were used to manage malware.
Linking these attacks to APT31 was made possible by the fact that, in general, this is not a new technique: it was previously used by the TaskMasters group in their Webdav-O malware. The point of using this technique is to bypass network protections, as it connects to a legitimate service. Since the group previously used the Dropbox cloud service, the researchers noticed intersections with some of the group’s tools.
Instances of the studied malware date from November 2021 to June 2022. All of them contained legitimate files, the main task of which is to transfer control to a malicious library, for example, using the DLL Side-Loading technique, and form an initialization package that is sent to the control server.
A significant part of the identified legitimate executable files was some component of Yandex.Browser and was signed with a valid digital signature.
Also, during the analysis, two new types of malware were discovered, which were named YaRAT (since it uses Yandex.Disk as a control server and has the functionality of a remote access trojan) and Stealer0x3401 (by the constant used when obfuscating the encryption key).
In the case of YaRAT, the Yandex Browser installer signed with a valid digital signature of Yandex (or its portable version) was used as a legitimate file vulnerable to the Side-Loading DLL. Stealer0x3401, in turn, used a legitimate binary file dot1xtray.exe, which loaded the malicious library msvcr110.dll.
“In 2021, APT31 activity was noted by us in Mongolia, Russia, the United States and other countries,” says Positive Technologies expert Daniil Koloskov. also similar artifacts of the compilation tools used. All this allows us to conclude that the group we studied is still functioning and can continue attacks on organizations in Russia.”
According to Koloskov, malware that uses Yandex.Disk as a control server is extremely difficult to detect by network interaction: “In fact, this is normal legitimate traffic between the client and the service. These malware can only be detected over time using monitoring tools, including anti-virus technologies. Therefore, it is important to work proactively – to tell employees about digital hygiene measures and about phishing techniques used by attackers. In addition, it is desirable for a company to have a separate address where employees can send samples of received suspicious letters and report them to information security specialists, ”explains the expert.