uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-08-01 23:19:50

thrive
Member
Registered: 2023-01-04
Posts: 1,952

APT31 from China is suspected of attacking air-gapped systems in East

An Eastern European industrial organization was the target of several attacks last year to steal data from air-gapped systems, all of which are thought to have been carried out by a nation-state actor with ties to China.

APT31, a hacker group also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), was the group responsible for the intrusions, according to cybersecurity firm Kaspersky, who put their confidence in their conclusion with a medium to high level of certainty.

Based on their capacity to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure, the attacks involved the use of more than 15 different implants and their variants. These implants were divided into three major categories.

One of the implant types "appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe," Kaspersky said.

"The other implant type is intended to steal data from a local computer and send it to Dropbox with the aid of the subsequent implant types. ".

One collection of backdoors consists of various iterations of the FourteenHi malware family, which has been in circulation since at least mid-March 2021 and has a wide range of capabilities, including the ability to upload and download arbitrary files, execute commands, launch a reverse shell, and remove its own presence from the compromised hosts.

MeatBall is a second first-stage backdoor used for remote access and initial data collection. It has the ability to list active processes, enumerate connected devices, operate on files, take screenshots, and self-update.

A third type of first-stage implant that uses Yandex Cloud for command-and-control has also been found, echoing findings from Positive Technologies in August 2022 outlining APT31 attacks on Russian media and energy companies.

"The propensity to misuse cloud-based services (e.
g.
as well as Google, Yandex, and Dropbox. (which is not a new problem, but it keeps growing because it is difficult to contain or mitigate when an organization's business operations rely on the use of such services, according to Kaspersky researchers.

Threat actors continue to make it more challenging to identify and analyze threats by concealing payloads in encrypted form in separate binary data files and by putting malicious code into the memory of trusted applications using DLL hijacking and a series of memory injections. ".


Dedicated implants have also been seen being used by APT31 to steal data from air-gapped systems by infecting removable drives and gathering local files.

The latter malware strain consists of at least three modules, each of which performs a different function, such as handling and profiling removable drives, capturing keystrokes and screenshots, and installing subsequent malware on newly connected drives.

According to Kirill Kruglov, senior security researcher at Kaspersky ICS CERT, the threat actor made conscious efforts to obscure their actions using encrypted payloads, memory injections, and DLL hijacking.

While data exfiltration from air-gapped networks is a common tactic used by many APTs and targeted cyberespionage campaigns, the actor this time around has designed and carried out the operation specifically. ".

The aforementioned attack chains were specifically designed for the Windows environment, but there is evidence that APT31 has also targeted Linux systems.

The AhnLab Security Emergency Response Center (ASEC) discovered attacks earlier this month against South Korean businesses with the intention of infecting the machines with a backdoor referred to as Rekoobe.

According to ASEC, Rekoobe is a backdoor that can take instructions from a [command-and-control] server to carry out a number of tasks, including downloading malicious files, stealing internal files from a system, and executing reverse shell.

Although its structure may be straightforward, it uses encryption to avoid network packet detection and is capable of a wide range of malicious actions when given orders by the threat actor. ".

Offline

Board footer

Powered by FluxBB