Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Threat Group Uses New Malware to Target Russian Organizations

A threat group known for targeting Russian organizations has recently started using a new tool in its cyber espionage operations, Palo Alto Networks reported on Tuesday.

A threat group known for targeting Russian organizations has recently started using a new tool in its cyber espionage operations, Palo Alto Networks reported on Tuesday.

At the 2014 ZeroNights security conference, ESET researcher Anton Cherepanov disclosed the details of “Roaming Tiger,” an attack campaign targeting high profile organizations in Russia and former Soviet Union countries, including Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Ukraine and Uzbekistan.

The threat group used RTF exploits and the PlugX RAT to conduct espionage and steal data from targets. While Cherepanov hasn’t said who is behind the campaign, the command and control (C&C) servers and domains discovered during his researcher were tied to China.

In August 2015, Palo Alto Networks researchers spotted attacks that were very similar to the ones launched as part of the Roaming Tiger operation. The attacks, observed up until December, targeted organizations in Russia and Russian-speaking countries, but instead of PlugX, the threat group started using a new tool dubbed by the security firm “BBSRAT.” The new malware uses infection mechanisms that are similar to PlugX, but it has a different architecture and behavior.

In one attack spotted by Palo Alto Networks, the attackers sent out an email containing a malicious Word document designed to exploit an old Microsoft Office vulnerability (CVE-2012-0158) to deliver the BBSRAT malware. This flaw was also exploited in the attacks observed by ESET last year.

The email analyzed by Palo Alto was sent to Vigstar, a Russian research organization that specializes in the development of special-purpose wireless devices and satellite communications systems used by Russian defense and security agencies.

Interestingly, experts pointed out that BBSRAT uses the same C&C domains as in the Roaming Tiger operation detailed by ESET. However, in the recent attacks, it appears the malicious actors deployed different malware variants and separate infrastructure for each of the targeted entities.

BBSRAT, delivered via droppers and downloaders, creates registry entries for persistence. Once it’s installed on a system, the malware collects data on the infected device and sends it back to a remote server via a POST request.

The attackers can then send commands to uninstall or kill the malware, execute a shellcode, start or stop a service, manipulate processes, execute commands, read, write and delete files, obtain file information, create directories, and execute a shell.

“As in many of the previous articles regarding espionage-motivated adversaries and possible nation-state campaigns, what is being observed in this attack campaign is a continued operation and evolution by the adversary even after its tactics, techniques, and procedures (TTPs) have become public knowledge,” Palo Alto Networks researchers explained in a blog post. “Despite the fact that the information about these attackers has been public for over a year, including a listing of many of the command and control servers, they continue to reuse much of their exposed playbook.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...