[ad_1]
A beforehand undocumented malware marketing campaign known as DownEx has been noticed actively concentrating on authorities establishments in Central Asia for cyberespionage, in accordance with a report by Bitdefender.
The primary occasion of the malware was detected in 2022 in a extremely focused assault geared toward exfiltrating information from overseas authorities establishments in Kazakhstan. Researchers noticed one other assault in Afghanistan.
“The area and IP addresses concerned don’t seem in any beforehand documented incidents, and the malware doesn’t share any code similarities with beforehand identified malicious software program,” Bitdefender mentioned in its analysis.
The researchers say that the assault highlights the sophistication of a contemporary cyberattack. “Cybercriminals are discovering new strategies for making their assaults extra dependable,” the analysis mentioned.
Based mostly on the precise targets of the assaults, the doc metadata impersonating an actual diplomat, and the first focus being on information exfiltration, researchers consider {that a} state-sponsored group is accountable for these incidents. Whereas the assaults haven’t been attributed to any particular menace actor, it’s probably {that a} Russian group is accountable for the assaults.
“One clue pointing on the origin of the assault is using a cracked model of Microsoft Workplace 2016 widespread in Russian-speaking international locations (referred to as “SPecialisST RePack” or “Russian RePack by SPecialiST”), Bitdefender mentioned in its report, including that it is usually uncommon to see the identical backdoor written in two languages. This apply was beforehand noticed with group APT28 (Russia-based) with their backdoor Zebrocy.
It’s probably that the preliminary entry technique utilized by the group is phishing emails.
Preliminary entry gained via social engineering
Researchers say that almost certainly the menace actors used social engineering strategies to ship a spear-phishing e-mail with a malicious payload because the preliminary entry vector.
“The assault used a easy strategy of utilizing an icon file related to .docx recordsdata to masquerade an executable file as a Microsoft Phrase doc,” Bitdefender mentioned.
When the sufferer opens the attachment two recordsdata are downloaded, a lure doc that’s exhibited to the sufferer and a malicious HTML software with the embedded code that runs within the background. The payload is designed to determine communication with the command-and-control servers.
“The obtain of the subsequent stage failed, and we now have not been capable of retrieve the payload from the command and management (C2) server. Based mostly on our evaluation of comparable assaults, we anticipate menace actors tried to obtain backdoor to determine persistence,” Bitdefender mentioned within the report.
Exfiltration of knowledge
Upon execution, DownEx strikes laterally throughout native and community drives to extract recordsdata from Phrase, Excel, and PowerPoint paperwork, photos and movies, compressed recordsdata, and PDFs. It additionally seems to be for encryption keys and QuickBooks log recordsdata.
DownEx exfiltrates information utilizing a password-protected zip archive, limiting the dimensions of every archive to 30 MB. In some circumstances a number of archives have been exfiltrated, the researchers noticed.
“This can be a fileless assault – the DownEx script is executed in reminiscence and by no means touches the disk,” Bitdefender mentioned.
To stop assaults like this, researchers advise organizations to concentrate on implementing a mix of cybersecurity applied sciences to harden their safety posture.
“Applied sciences equivalent to superior malware detection with machine studying that may establish malicious scripts, e-mail filtering, sandbox for the detonation of suspicious recordsdata, community safety that may block C2 connections, and detection and response capabilities that stretch past the endpoints to networks,” Bitdefender mentioned within the report.
Rise in Russia-based malware
Publish Russia’s invasion of Ukraine in 2022, the cyberespionage actions from Russia on Ukraine and international locations that assist Ukraine have considerably intensified.
Governments are additionally making an attempt to actively disrupt these actions and stop state-sponsored teams from finishing up the assaults.
The information of the brand new malware pressure concerned in cyberespionage comes a day after the US introduced that it had disrupted one of the vital subtle malware units utilized by the Russian intelligence providers, Snake malware.
The US authorities attributes the Snake malware to the Turla unit inside Middle 16 of the Federal Safety Service of the Russian Federation (FSB). The Turla unit has used a number of variations of Snake malware within the final 20 years to steal delicate paperwork from tons of of laptop techniques throughout a minimum of 50 international locations. Its targets included governments, journalists, and different targets of curiosity to the Russian Federation together with the NATO nations.
Copyright © 2023 IDG Communications, Inc.
[ad_2]