A nation-state actor with ties to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe last year to steal data stored on air-gapped systems.
Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31, which is also tracked under the monikers Bronze Vinewood, Judgment Panda, and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed.
The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.
“One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe,” Kaspersky said.
“The second type of implant is designed to steal data from a local computer and send it to Dropbox with the help of the next stage implant.”
One set of backdoors includes various versions of a malware family called FourteenHi that have been put to use since at least mid-March 2021 and which come with a broad spectrum of features to upload and download arbitrary files, run commands, start a reverse shell, and erase their own presence from the compromised hosts.
The other is the first-stage backdoor meatball, used for remote access and initial data gathering, with capabilities to list running processes, enumerate connected devices, perform file operations, capture screenshots, and self-update.
A third type of first-stage implant has also been discovered that uses Yandex Cloud for command-and-control, mirroring similar findings from Positive Technologies in August 2022 involving APT31 targeting Russian media and energy companies The details of the attacks are given.
“The tendency to misuse cloud services (for example, Dropbox, Yandex, Google, etc.) is not new, but continues to expand, as it is difficult to restrict/mitigate in cases when an organization’s business processes rely on such services. depend on the use of the application,” the Kaspersky researchers said.
“Threats continue to make threats more difficult to detect and analyze by hiding payloads in encrypted form in separate binary data files and by hiding malicious code in the memory of legitimate applications through a series of DLL hijacking and memory injections.”
APT31 has also been observed using dedicated implants to exfiltrate data from air-gapped systems by infecting removable drives as well as collecting local files.
The latter malware strain consists of at least three modules, each component responsible for different tasks, such as profiling and handling removable drives, recording keystrokes and screenshots, and second-stage malware on newly connected drives to plant.
“The threat actor’s deliberate attempts to obscure their actions through encrypted payloads, memory injection and DLL hijacking [underscore] reflect the sophistication of their tactics,” said Kirill Kruglov, senior security researcher at Kaspersky ICS CERT.
“While exfiltrating data from air-gapped networks is a recurring tactic adopted by many APTs and targeted cyber espionage campaigns, this time it is uniquely designed and implemented by the actor.”
While the above attack chains are clearly engineered for Windows environments, there is evidence that APT31 has turned its attention to Linux systems as well.
Earlier this month, the AhnLab Security Emergency Response Center (ASEC) disclosed possible attacks by a rival against South Korean companies with the goal of infecting machines with a backdoor called Rekoobe.
ASEC said, “Rekoobe is a backdoor that can receive commands from [command-and-control] servers to perform various tasks such as downloading malicious files, stealing internal files from the system, and executing reverse shells.”
“While it may appear simple in structure, it uses encryption of network packets to avoid detection and can perform a variety of malicious behaviors through threat actor commands.”