Analysis Summary

A spear-phishing campaign dubbed EastWind is aimed at the Russian government and IT institutions, dispersing a variety of trojans and backdoors.

The attack chains are distinguished by the use of RAR archive attachments that contain a Windows shortcut (LNK) file. Opening the LNK file initiates the infection sequence, which leads to the deployment of malware like GrewApacha, an upgraded CloudSorcerer backdoor, and an implant called PlugY that was previously unreported. PlugY contains a large command set and supports three different protocols for communication with the command-and-control server. It may be downloaded using the CloudSorcerer backdoor.

The initial infection vector is based on a booby-trapped LNK file that uses DLL side-loading techniques to start a malicious DLL file that communicates with Dropbox to carry out commands for reconnaissance and download more payloads. One piece of malware that was used with the DLL was GrewApacha, a backdoor that was previously connected to the APT31 group, which is linked to China. It is also launched via DLL side-loading, and it stores a Base64-encoded string of the real C2 server utilizing a GitHub profile under the control of the attacker as a dead drop resolver.

On the other hand, CloudSorcerer is an advanced cyber espionage tool that uses Dropbox, Yandex Cloud, and Microsoft Graph Cloud architecture for data collecting, exfiltration, and covert surveillance. The revised version uses reputable sites like LiveJournal and Quora as an initial C2 server, just like GrewApacha did. The encrypted authentication token needed to interface with the cloud service is contained in profile bios, much like in earlier iterations of CloudSorcerer. Moreover, it makes use of an encryption-based defense mechanism that makes sure the malware only detonates on the victim's machine through the use of a special key that is generated at runtime using the Windows GetTickCount() function.

The third family of malware seen in the attacks is called PlugY. It is a fully functional backdoor with the ability to execute shell commands, log keystrokes, watch device screens, and capture clipboard contents. It communicates to a management server via TCP, UDP, or named pipes. According to the researchers, an examination of PlugX's source code revealed parallels with DRBControl, also known as Clambling, a backdoor that has been linked to threat clusters with a China nexus that are monitored as APT27 and APT41. Russian LiveJournal and Yandex Disk, along with well-known network services like GitHub, Dropbox, and Quora, were utilized as command servers by the attackers behind the EastWind campaign.

The revelation occurred as cybersecurity experts also described a watering hole attack in which a legitimate Russian gas supply website was compromised to disseminate a worm called CMoon. This worm is capable of collecting sensitive information, including payment details, taking screenshots, downloading more malware, and initiating distributed denial-of-service (DDoS) attacks against targets of interest. Additionally, the malware gathers information from a variety of online browsers, wallets for cryptocurrencies, instant messaging programs, SSH clients, file transfer programs, apps for streaming and recording videos, authenticators, remote desktop tools, and VPNs.

Data theft and remote control are two of the many features of the CMoon worm, which is written in .NET. As soon as the executable file is installed, it starts keeping an eye on the linked USB drives. Using portable media, threat actors can steal files that might be of interest to them, transfer a worm, and infect other machines that will use the drive.

Impact

• Cyber Espionage
• Command Execution
• Unauthorized Access
• Data Theft and Exfiltration

Indicators of Compromise

MD5

• faf1f7a32e3f7b08017a9150dccf511d
• 67cfecf2d777f3a3ff1a09752f06a7f5

SHA-256

• 141efc5eb38437b876fd1c82231fe80b836290b5fbe48a5dd57a85e2ce25e12b
• 0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6

SHA-1

• 196f35ff6c47bb4002be7d7d71a541afd5d21497
• bce22646f0d7c3abc616996cd08b706590e724e1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.