By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
Twilio was hacked: Credentials stolen from Twilio employees.
August 10, 2022
Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe
August 10, 2022
US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash
August 10, 2022
Microsoft: Windows devices on new CPUs can corrupt data
August 10, 2022
Microsoft will improve the security of Edge when working with less popular sites
August 10, 2022
Aa
  • News
  • Security Insider
  • Tutorials
Reading: Hack group APT31 attacks the Russian fuel and energy complex and the media
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Security Insider
  • Tutorials
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Hack group APT31 attacks the Russian fuel and energy complex and the media
News

Hack group APT31 attacks the Russian fuel and energy complex and the media

Last updated: 2022/08/05 at 11:54 PM
Security Parrot Editorial Team Published August 5, 2022
Share
SHARE

In the spring of this year, Positive Technologies specialists detected an attack on a number of Russian organizations (media and energy companies) using a malicious document. An analysis of the malware used showed that the Chinese group APT31 is behind these attacks.

In both campaigns, identical code fragments were recorded that receive information about network adapters and collect data about the infected system, the “stubs” in the documents had a clear similarity, and cloud servers were used to manage malware.

Linking these attacks to APT31 was made possible by the fact that, in general, this is not a new technique: it was previously used by the TaskMasters group in their Webdav-O malware. The point of using this technique is to bypass network protections, as it connects to a legitimate service. Since the group previously used the Dropbox cloud service, the researchers noticed intersections with some of the group’s tools.

Instances of the studied malware date from November 2021 to June 2022. All of them contained legitimate files, the main task of which is to transfer control to a malicious library, for example, using the DLL Side-Loading technique, and form an initialization package that is sent to the control server.

A significant part of the identified legitimate executable files was some component of Yandex.Browser and was signed with a valid digital signature.

Also, during the analysis, two new types of malware were discovered, which were named YaRAT (since it uses Yandex.Disk as a control server and has the functionality of a remote access trojan) and Stealer0x3401 (by the constant used when obfuscating the encryption key).

In the case of YaRAT, the Yandex Browser installer signed with a valid digital signature of Yandex (or its portable version) was used as a legitimate file vulnerable to the Side-Loading DLL. Stealer0x3401, in turn, used a legitimate binary file dot1xtray.exe, which loaded the malicious library msvcr110.dll.

“In 2021, APT31 activity was noted by us in Mongolia, Russia, the United States and other countries,” says Positive Technologies expert Daniil Koloskov. also similar artifacts of the compilation tools used. All this allows us to conclude that the group we studied is still functioning and can continue attacks on organizations in Russia.”

According to Koloskov, malware that uses Yandex.Disk as a control server is extremely difficult to detect by network interaction: “In fact, this is normal legitimate traffic between the client and the service. These malware can only be detected over time using monitoring tools, including anti-virus technologies. Therefore, it is important to work proactively – to tell employees about digital hygiene measures and about phishing techniques used by attackers. In addition, it is desirable for a company to have a separate address where employees can send samples of received suspicious letters and report them to information security specialists, ”explains the expert.

Security Parrot Editorial Team August 5, 2022
Share this Article
Facebook Twitter Email Copy Link Print
What do you think?
Love0
Happy0
Joy0
Surprise0
Embarrass0
Sad0
Cry0
Angry0
Dead0

You Might Also Like

News

Twilio was hacked: Credentials stolen from Twilio employees.

August 10, 2022
News

Chinese hackers attack defense companies and government agencies in Russia and Eastern Europe

August 10, 2022
News

US authorities imposed sanctions on the cryptocurrency mixer Tornado Cash

August 10, 2022
News

Microsoft: Windows devices on new CPUs can corrupt data

August 10, 2022

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • About Us
  • Contribute
  • Privacy Policy
  • Terms and Conditions

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?