Chinese Cyberespionage Group APT31 Targets Eastern European Entities

 A China-linked group APT31 (aka Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. In this campaign, the attackers aimed to steal valuable intellectual property from victims, including data stored on air-gapped systems. 


Modus operandi

  • The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing service, to deliver next-stage malware.  
  • A total of 15 implant variants with different capabilities were used in the attack.
  • Some of these were different versions of FourteenHi malware, which were distributed as first-stage implants, enabling attackers to gain persistent remote access, upload and download files, and initializing a reverse shell.
  • In addition, the attackers leveraged a new malware, dubbed MeatBall, that comes with vast remote access capabilities, including making a list of processes running on systems, capturing screenshots, and using a remote shell.
  • Another interesting implant was found using Yandex cloud data storage as the C2 server. It exfiltrated computer names, usernames, IP addresses, Mac addresses, and OS versions from compromised systems.  

Europe remains a hotbed for attacks

  • Recently, RomCom attackers were tied to a phishing campaign that targeted the European delegates who attended the NATO Summit in Vilnius, Lithuania. The campaign used typosquatting techniques and spear-phishing emails to infect visitors with malware. 
  • In a separate incident, researchers discovered a wave of attacks targeted European entities, especially those focused on foreign policy, with the PlugX malware, using the HTML Smuggling attack technique.
  • Meanwhile, a 10 times increase was observed in the frequency of BEC attacks across Europe between June 2022 and May 2023, as compared to the previous year. 

Conclusion

European entities are persistently targeted by different state-sponsored threat groups and have become part of a larger attack trend now. Organizations are advised to use the IOCs associated with the campaign to understand the attack pattern and implement effective security measures to detect and remediate unusual activities at the initial stage.

No comments:

maheshcyberadvisor@gmail.com

Powered by Blogger.