According to a report from Bitdefender, a previously undocumented malware campaign called DownEx has been observed actively targeting government institutions in Central Asia for cyberespionage.
The first instance of the malware was detected in 2022 in a highly targeted attack aimed at exfiltrating data from foreign government institutions in Kazakhstan. Researchers observed another attack in Afghanistan.
“The domain and IP addresses involved do not appear in any previously documented incidents, and the malware does not share any code similarities with previously known malware,” Bitdefender said in its investigation.
Researchers say the attack highlights the sophistication of a modern cyber attack. “Cybercriminals are finding new methods to make their attacks more reliable,” the research said.
Based on the specific targets of the attacks, the document’s metadata impersonating a real diplomat, and the primary focus on exfiltrating data, researchers believe a state-sponsored group is responsible for these incidents. While the attacks have not been attributed to any specific threat actor, it is likely that a Russian group is responsible for the attacks.
“One clue pointing to the origin of the attack is the use of a cracked version of Microsoft Office 2016 popular in Russian-speaking countries (known as ‘SPecialisST RePack’ or ‘Russian RePack by SPecialisT'”), he said Bitdefender in its report, adding that it is also unusual to see the same backdoor written in two languages. This practice was previously observed with the APT28 group (based in Russia) with its Zebrocy backdoor.
The initial access method used by the group is likely to be phishing emails.
Initial access obtained through social engineering
Researchers say the threat actors likely used social engineering techniques to send a phishing email with a malicious payload as the initial access vector.
“The attack used a simple technique of using an icon file associated with .docx files to disguise an executable file as a Microsoft Word document,” Bitdefender said.
When the victim opens the attachment, two files are downloaded, an attraction document that is displayed to the victim and a malicious HTML application with the embedded code that runs in the background. The payload is designed to establish communication with command and control servers.
“The download of the next stage failed and we were unable to retrieve the payload from the command and control server (C2). Based on our analysis of similar attacks, we expect that threat actors attempted to download the backdoor to establish persistence,” Bitdefender said in the report.
Exfiltration of data
After running, DownEx moves laterally through local and network drives to extract document files, images and videos from Word, Excel and PowerPoint, compressed files and PDFs. It also searches for encryption keys and QuickBooks log files.
DownEx exfiltrates data using a password-protected zip file, limiting the size of each file to 30MB. In some cases multiple files were exfiltrated, the researchers noted.
“This is a fileless attack: the DownEx script runs in memory and never touches the disk,” Bitdefender said.
To avoid attacks like this, researchers advise organizations to focus on implementing a combination of cybersecurity technologies to harden their security posture.
“Technologies such as advanced malware detection with machine learning that can identify malicious scripts, email filtering, sandboxing for detonating suspicious files, network protection that can block C2 connections, and detection and response capabilities that extend beyond endpoints to networks,” Bitdefender. he said in the report.
Rise of Russian-based malware
Following the Russian invasion of Ukraine in 2022, Russia’s cyberespionage activities in Ukraine and in countries that support Ukraine have significantly intensified.
Governments are also actively trying to disrupt these activities and prevent state-sponsored groups from carrying out attacks.
News of the new strain of malware involved in cyber espionage comes a day after the United States announced it had disrupted one of the most sophisticated malware suites used by Russian intelligence services, the Snake software.
The US government attributes the Snake malware to the Turla unit within Center 16 of the Russian Federation’s Federal Security Service (FSB). The Turla unit has used various versions of the Snake malware over the past 20 years to steal confidential documents from hundreds of computer systems in at least 50 countries. Their targets included governments, journalists and other targets of interest to the Russian Federation, including NATO nations.
Copyright © 2023 IDG Communications, Inc.
Source link
A new cyberattack known as the DownEx malware campaign is targeting central Asian countries like Armenia, Azerbaijan, Kazakhstan and Kyrgyzstan. The malicious code has been used to harvest data from infected computers and is currently on the rise in the region.
Ikaroa, a full-stack tech company, has been monitoring this malware campaign and has uncovered evidence that it may have been created by a professional hacking group. The malware is designed to extract sensitive information from computer systems and then exfiltrate it to remote networks, allowing criminals access to passwords, account information and even financial records.
The insidious nature of the DownEx campaign allows the attackers to launch multiple attacks within a single day and increase the likelihood of successful breaches. Furthermore, the malware is able to evade most anti-virus and anti-malware protections, making it even harder to detect.
Ikaroa is encouraging all organizations and individuals in the region to make sure they have the latest security patches and up-to-date anti-virus and anti-malware software to protect themselves against the DownEx attack. Additionally, organizations should consider the use of encryption and other mechanisms to secure their network and server infrastructure.
Finally, it is important to remember that the best way to protect yourself from threats like the DownEx malware campaign is to stay informed and remain vigilant. Organizations should always be aware of the latest threats and ensure that their IT teams are up-to-date on the latest techniques for combating malicious software.
