The Positive Technologies Expert Security Center has revealed details of new cyberattacks launched by APT31, the criminal group known for targeting global government agencies. He origin of the threat appears to be stemming from China.
As a result of this attack, more than a dozen malicious emails have bene dispatched around the world. This email onslaught occurred between January and July 2021. In terms of global reach, traces of the group were found in the U.S., Canada, Mongolia, the Republic of Belarus, and – for the first time – Russia.
These attacks leveraged previously unseen malicious content: The group’s new tool is a Remote Access Trojan that allows criminals to control a victim’s computer or network, and steal any file from an infected machine.
A Remote Access Trojan is a tool used by malware developers to gain full access and remote control on a user’s system, including mouse and keyboard control, file access, and network resource access.
Read more: North Korean hackers APT38 have conducted $600 million crypto heist
A detailed analysis of the malware samples, as well as numerous overlaps in functionality, techniques, and mechanisms used enabled researchers to attribute the detected samples to APT31.
In particular, the researchers detected a link to a phishing domain inst.rsnet-devel[.]com, which imitates the domain of federal government bodies and government bodies of the subjects of the Russian Federation for the Internet segment – a malicious domain likely designed to mislead government officials and companies that work with government agencies.
In terms of what is known about the group’s new tool:
- It uses techniques to avoid detection and self-deletes after it accomplishes its goals, as well as deletes all the files it created, and registry keys
- In some cases, such as in attacks in Mongolia, the dropper was signed with a valid digital signature that was most likely stolen, indicating the attacker’s high level of knowledge
- The malware can be used as a part of a global campaign that includes cyber espionage
- In order to make the malicious library look like the original version, criminals named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll
It is of further concern that the Positive Technologies researchers believe the potential malware is only version is 1.0, based on the value embedded in the code and contained in the network packages.
The trends indicate that the hacker group is expanding the geography of its interests. The researchers believe further attacks stemming from this group will be revealed soon, including against Russia. Based on the changes that have taken place over the last year, researchers believe the group is not afraid to make significant changes to their tools – so future malicious programs may be completely different from those already researched.