New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

A newly identified threat actor has been observed targeting government and energy organizations in the Commonwealth of Independent States (CIS) region for espionage and data theft, Cisco warns.

Dubbed YoroTrooper, the group has been active since at least June 2022, mainly hitting governments across Eastern Europe, but was also seen compromising accounts at a European Union healthcare agency and the World Intellectual Property Organization (WIPO).

Believed to consist of Russian-speaking individuals, the group successfully compromised organizations in Azerbaijan, Kyrgyzstan, Tajikistan, and other CIS countries, and is believed to be also targeting other entities in Europe, as well as Turkish government agencies.

To date, Cisco has identified at least three different clusters of activity with overlapping infrastructure and has seen YoroTrooper using both in-house and commodity malware families, including AveMaria/Warzone RAT and LodaRAT.

The group tricks victims with malicious domains and typosquatted domains that resemble the legitimate websites of CIS entities.

YoroTrooper targets potential victims with phishing emails that typically have an archive attached, carrying a shortcut file (.lnk) that triggers the infection and a decoy PDF document.

In the observed attacks, the hacking group dropped commodity RATs and information stealers (such as Stink Stealer), along with a custom-built implant based on Python, and self-developed stealers based on the open-sourced Lazagne project, targeting Google Chrome.

The group’s custom malware relies on Telegram bots for data exfiltration and for receiving commands from the attackers’ command-and-control (C&C) server. The custom-built Python-based RAT can run arbitrary commands and exfiltrate files via Telegram.

YoroTrooper was also seen using reverse shell implants such as a simple Python-based reverse shell and Meterpreter binaries. A C-based custom keylogger was also identified.

The threat actor obtained compromised credentials at a European Union healthcare company and the WIPO, registered malicious domains mimicking those of legitimate European Union government agencies, and compromised embassies belonging to Turkmenistan and Azerbaijan.

Cisco’s investigation into YoroTrooper uncovered potential connections with other threat actors, including some overlaps with Kasablanka, the operators of LodaRAT, and stronger overlaps in both tooling and target choices with the activity of Stibnite, the operators of PoetRAT.

Related: Russia-Linked APT ‘Winter Vivern’ Targeting Governments in Europe, Asia

Related: Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Related: EU Organizations Warned of Chinese APT Attacks