EastWind New Cyber-Attack Hits Russian Government Bodies and IT Firms This involves distributing the spear-phishing emails that are used to deliver various backdoors and trojans.
The attack chains start with RAR archive attachments that include a Windows shortcut (LNK), which, when clicked on by the victim will trigger an infection chain concluding in the installation of malware such as GrewApacha, CloudSorcerer backdoor v2.0 and PlugY —a new implant that has not been published before now—on target systems.
According to Russian cybersecurity firm, Kaspersky — CloudSorcerer backdoor downloads PlugY. The bot is capable of executing a variety of commands and can communicate with its control server using three different protocols.
The attackers start by using a harmful LNK file that loads a malicious DLL through side-loading. This DLL uses Dropbox to gather information and download additional payloads.
One of the deployed malware they install is GrewApacha, a backdoor tool linked to the Chinese hacking group APT31. It hides the real command server address in Base64 code on a GitHub profile the attackers control.
CloudSorcerer, another tool they use, is a sophisticated cyber espionage malware that uses cloud services like Microsoft Graph, Yandex Cloud, and Dropbox to watch targets and steal data. The newest version now uses sites like LiveJournal and Quora as its first command servers.
The third malware, PlugY, has a big impact on systems as a feature-packed backdoor. It can link up with its control server through TCP, UDP, or named pipes. This malware can run shell commands, keep an eye on screens, record keystrokes, and grab clipboard content. Kaspersky spotted code that looks alike between PlugY and DRBControl (also known as Clambling), a backdoor tied to Chinese threat groups APT27 and APT41.
Kaspersky pointed out that the EastWind campaign uses well-known network services to act as command servers. These include GitHub, Dropbox, Quora, LiveJournal, and Yandex Disk.
In a different study, Kaspersky described a watering hole attack that compromises a real Russian gas supply website. This attack spreads CMoon, a worm that can steal confidential and payment data, capture screenshots, get more malware, and start DDoS attacks.
CMoon, coded in .NET, has many ways to steal data and control remotely. It can gather data from various application likeweb browsers crypto wallets, chat apps, and others. The worm also monitors connected USB drives letting it take important files and move to other computers through removable storage.
