Threat Intelligence experts from Positive Technologies have come across a malware campaign from APT 31 group sending malicious payload via mailing list to countries like Mongolia, Russia, Canada, USA and Belarus.

During the initial investigation, experts observed that the threat actors are using interesting names on their files (“хавсралт.scr” [“havsralt.scr”] (mong. attachment), “Информация_Рб_июнь_2021_года_2021062826109.exe”)  which had contained Remote Access Trojan a payload targeting government sector, aerospace , defense industries and financial companies.

Researchers believe that their significant objective is to conduct cyber espionage on the key targets.

“The main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two files on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then launched). Both files are always created over the same path: C:\ProgramData\Apacha. In the absence of this directory, it is created and the process is restarted.” reads the blog post.

Overview of the dropper's basic function
Source: ptsecurity

On the second stage , the vulnerable application loads the malicious library and calls one of its function. One of the interesting technique used by this malware is using a file with a name “MSVCR100.dll” which almost exist on all the windows pc in the System32 folder.

“It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature (Figure 10). PT ESC experts believe that this signature was most likely stolen.” stated by the researcher.

Valid digital signature of a dropper
Source : PTsecurity

The malware also supports list of commands that it can executes once inside the victim machine:

  • 0x3: get information on mapped drives.
  • 0x4: perform file search.
  • 0x5: create a process, communication through the pipe.
  • 0xA: create a process via ShellExecute.
  • 0xC: create a new stream with a file download from the server.
  • 0x6, 0x7, 0x8, 0x9 (identical): search for a file or perform the necessary operation via SHFileOperationW (copy file, move file, rename file, delete file).
  • 0xB: create a directory.
  • 0xD: create a new stream, sending the file to the server.
  • 0x11: self-delete.

CyberWorkx news readers can checkout the IOC’s of this malware here.

Source: ptsecurity.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s