An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022.
“The campaigns […] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely,” Malwarebytes said in a technical report published Tuesday.
The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.
The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code.
The campaign is said to have commenced around February 26, days after Russia’s military invasion of Ukraine, with the emails distributing the RAT under the guise of an interactive map of Ukraine (“interactive_map_UA.exe”).
The development once again demonstrates threat actors’ capabilities to adapt and adjust their attacks to world events, using the most relevant and up-to-date lures to maximize their chances of success.
A second early March attack wave primarily targeted the state-controlled RT TV and involved the use of a rogue software fix for the Log4Shell vulnerability that made headlines in late 2021.
Besides including the patch in the form of a compressed TAR file, the email message also came with a PDF document with instructions to install the patch and listed the best security practices to follow, including enabling two-factor authentication, using Kaspersky antivirus, and refraining from opening or replying to suspicious emails.
In a further attempt to boost the authenticity of the email, the document also contained a VirusTotal URL pointing to an unrelated file to give the impression that the Log4j patch file is not malicious.
What’s more, the email featured links to an attacker-controlled domain “rostec[.]digital” along with fraudulent profiles created on Facebook and Instagram alluding to the Russian defense conglomerate.
“Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign,” the researchers said. “This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.”
The third iteration of the attack that followed made use of another malicious executable file — this time “build_rosteh4.exe” — in an attempt to pass off the malware as though it’s from Rostec.
Lastly, in mid-April 2022, the attackers pivoted to a job-themed phishing bait for Saudi Aramco, a Saudi Arabian petroleum and natural gas company, the weaponized Microsoft Word document acting as a trigger for an infection sequence to deploy the RAT.
The DLL payload employs a variety of advanced tricks to thwart analysis, including control flow flattening and string obfuscation, while also incorporating features that allow it to arbitrary files sent from a remote server to the infected host and execute command-line instructions.
The findings closely follow findings from Check Point that a Chinese adversarial collective with connections to Stone Panda and Mustang Panda targeted at least two research institutes located in Russia with a previously undocumented backdoor called Spinner.