A beforehand undocumented malware marketing campaign known as DownEx has been noticed actively concentrating on authorities establishments in Central Asia for cyberespionage, in accordance with a report by Bitdefender.
The primary occasion of the malware was detected in 2022 in a extremely focused assault aimed toward exfiltrating knowledge from overseas authorities establishments in Kazakhstan. Researchers noticed one other assault in Afghanistan.
“The area and IP addresses concerned don’t seem in any beforehand documented incidents, and the malware doesn’t share any code similarities with beforehand recognized malicious software program,” Bitdefender stated in its analysis.
The researchers say that the assault highlights the sophistication of a contemporary cyberattack. “Cybercriminals are discovering new strategies for making their assaults extra dependable,” the analysis stated.
Based mostly on the precise targets of the assaults, the doc metadata impersonating an actual diplomat, and the first focus being on knowledge exfiltration, researchers consider {that a} state-sponsored group is liable for these incidents. Whereas the assaults haven’t been attributed to any particular menace actor, it’s seemingly {that a} Russian group is liable for the assaults.
“One clue pointing on the origin of the assault is the usage of a cracked model of Microsoft Workplace 2016 fashionable in Russian-speaking international locations (often called “SPecialisST RePack” or “Russian RePack by SPecialiST”), Bitdefender stated in its report, including that it’s also uncommon to see the identical backdoor written in two languages. This observe was beforehand noticed with group APT28 (Russia-based) with their backdoor Zebrocy.
It’s seemingly that the preliminary entry methodology utilized by the group is phishing emails.
Preliminary entry gained by social engineering
Researchers say that most definitely the menace actors used social engineering methods to ship a spear-phishing e-mail with a malicious payload because the preliminary entry vector.
“The assault used a easy strategy of utilizing an icon file related to .docx recordsdata to masquerade an executable file as a Microsoft Phrase doc,” Bitdefender stated.
When the sufferer opens the attachment two recordsdata are downloaded, a lure doc that’s exhibited to the sufferer and a malicious HTML utility with the embedded code that runs within the background. The payload is designed to ascertain communication with the command-and-control servers.
“The obtain of the subsequent stage failed, and we’ve not been capable of retrieve the payload from the command and management (C2) server. Based mostly on our evaluation of comparable assaults, we count on menace actors tried to obtain backdoor to ascertain persistence,” Bitdefender stated within the report.
Exfiltration of knowledge
Upon execution, DownEx strikes laterally throughout native and community drives to extract recordsdata from Phrase, Excel, and PowerPoint paperwork, photographs and movies, compressed recordsdata, and PDFs. It additionally appears to be like for encryption keys and QuickBooks log recordsdata.
DownEx exfiltrates knowledge utilizing a password-protected zip archive, limiting the scale of every archive to 30 MB. In some instances a number of archives have been exfiltrated, the researchers noticed.
“This can be a fileless assault – the DownEx script is executed in reminiscence and by no means touches the disk,” Bitdefender stated.
To forestall assaults like this, researchers advise organizations to concentrate on implementing a mix of cybersecurity applied sciences to harden their safety posture.
“Applied sciences reminiscent of superior malware detection with machine studying that may establish malicious scripts, e-mail filtering, sandbox for the detonation of suspicious recordsdata, community safety that may block C2 connections, and detection and response capabilities that stretch past the endpoints to networks,” Bitdefender stated within the report.
Rise in Russia-based malware
Publish Russia’s invasion of Ukraine in 2022, the cyberespionage actions from Russia on Ukraine and international locations that help Ukraine have considerably intensified.
Governments are additionally making an attempt to actively disrupt these actions and forestall state-sponsored teams from finishing up the assaults.
The information of the brand new malware pressure concerned in cyberespionage comes a day after the US introduced that it had disrupted one of the vital refined malware units utilized by the Russian intelligence companies, Snake malware.
The US authorities attributes the Snake malware to the Turla unit inside Middle 16 of the Federal Safety Service of the Russian Federation (FSB). The Turla unit has used a number of variations of Snake malware within the final 20 years to steal delicate paperwork from a whole lot of laptop programs throughout no less than 50 international locations. Its targets included governments, journalists, and different targets of curiosity to the Russian Federation together with the NATO nations.
Copyright © 2023 IDG Communications, Inc.
