Yorotrooper is a sophisticated espionage campaign that has been active since at least 2018, targeting organizations in Europe and Turkey. This campaign has been attributed to a threat actor group called APT27, which is believed to be associated with the Chinese government. The goal of Yorotrooper is to collect sensitive information from a range of industries, including government, military, and energy.
APT27’s tactics include using spear-phishing emails to deliver malware and exploiting vulnerabilities in software to gain access to victims’ networks. The malware used in Yorotrooper is highly customized, making it difficult to detect and analyze. Once installed on a victim’s computer, the malware can steal data, log keystrokes, take screenshots, and even use a victim’s webcam and microphone to record audio and video.
One notable aspect of Yorotrooper is its use of a legitimate remote access tool called QuasarRAT. This tool is widely available online and has been repurposed by APT27 to remotely control compromised systems. This technique allows the threat actors to avoid detection and operate within victim networks for long periods of time.
The targets of Yorotrooper include government agencies, military organizations, academic institutions, and companies involved in the energy sector. The campaign has focused primarily on Turkey and Europe, but some targets in Africa and the Middle East have also been identified. The motivation behind the campaign is unclear, but it is believed to be part of China’s broader efforts to gather intelligence and advance its strategic interests.
To defend against Yorotrooper and other advanced persistent threats, organizations should take steps to improve their cybersecurity posture. This includes implementing strong access controls, regularly patching vulnerabilities, and training employees to recognize and avoid phishing emails. It’s also important to use advanced threat detection tools to monitor networks for suspicious activity and respond quickly to any incidents that are detected.
In conclusion, Yorotrooper is a highly sophisticated espionage campaign that has been active since at least 2018. It is believed to be associated with the Chinese government and has targeted a range of organizations in Europe and Turkey. The campaign uses spear-phishing emails, exploits software vulnerabilities, and deploys highly customized malware to steal sensitive data. To protect against Yorotrooper and other advanced persistent threats, organizations should adopt a comprehensive approach to cybersecurity that includes strong access controls, regular patching, employee training, and advanced threat detection.
|MALICIOUS SUBDOMAIN||LEGITIMATE DOMAIN||ENTITY|
|mail[.]mfa[.]gov[.]kg[.]openingfile[.]net||mfa[.]gov[.]kg||Kyrgyzstan’s Ministry of Foreign Affairs|
|akipress[.]news||akipress[.]com||AKI Press News Agency (Kyrgyzstan-based)|
|maileecommission[.]inro[.]link||commission[.]europa[.]eu||European Commission’s email|
|sts[.]mfa[.]gov[.]tr[.]mypolicy[.]top||mfa[.]gov[.]tr||Turkey’s Ministry of Foreign Affairs|
|industry[.]tj[.]mypolicy[.]top||industry[.]tj||Tajikistan’s Ministry of Industry and New Technologies|
|mail[.]mfa[.]az-link[.]email||mail[.]mfa[.]az||Azerbaijan’s Ministry of Foreign Affairs|
|belaes[.]by[.]authentication[.]becloud[.]cc||belaes[.]by||Belarusian Nuclear Power Plant (Astravets)|
|belstat[.]gov[.]by[.]attachment-posts[.]cc||belstat[.]gov[.]by||National Statistical Committee of Belarus|
|minsk[.]gov[.]by[.]attachment-posts[.]cc||minsk[.]gov[.]by||Official Website of the Government of Minsk (Belarus)|