The latest cybersecurity threat has emerged with the Russian government and IT organizations as the prime targets of a newly discovered campaign known as EastWind. This campaign involves a series of backdoors and trojans delivered through a sophisticated spear-phishing attack.
The attack strategy involves sending RAR archive attachments containing Windows shortcut (LNK) files. When these files are opened, it triggers an infection sequence that leads to the deployment of various malware, including GrewApacha, an updated version of the CloudSorcerer backdoor, and a new implant called PlugY.
The PlugY implant, downloaded through the CloudSorcerer backdoor, boasts an extensive set of commands and supports multiple communication protocols with the command-and-control server, as revealed by cybersecurity company Kaspersky in a recent report.
The initial stage of the attack involves a booby-trapped LNK file that exploits DLL side-loading techniques to execute a malicious DLL file. This DLL file communicates through Dropbox to carry out reconnaissance operations and download additional payloads.
One of the malware variants unleashed via DLL side-loading is GrewApacha, a backdoor previously associated with the China-linked APT31 group. This backdoor uses GitHub as a dead drop resolver to access the C2 server.
CloudSorcerer, another malware in the campaign, is a powerful cyber espionage tool that employs cloud infrastructures like Microsoft Graph, Yandex Cloud, and Dropbox for data collection and exfiltration. The updated version uses legitimate platforms such as LiveJournal and Quora as its initial C2 server.
According to Kaspersky, the malware includes an encryption-based protection mechanism that ensures activation only on the victim’s computer via a unique key derived from the Windows GetTickCount() function during runtime.
Another malware family observed in the campaign is PlugY, a fully-featured backdoor with capabilities to execute commands, monitor devices, record keystrokes, capture clipboard content, and communicate with a management server using various communication channels.
Kaspersky’s source code analysis revealed similarities between PlugY and a backdoor known as DRBControl (also referred to as Clambling), linked to threat clusters APT27 and APT41 associated with China.
The attackers behind the EastWind campaign have cleverly utilized popular network services such as GitHub, Dropbox, Quora, and even Russian LiveJournal and Yandex Disk as command servers, further complicating detection.
Additionally, Kaspersky disclosed a separate watering hole attack that compromises a legitimate website related to gas supply in Russia to distribute a worm known as CMoon. This worm is designed to harvest data, take screenshots, conduct DDoS attacks, and steal confidential information from a wide range of applications and tools.
If you found this article intriguing, make sure to follow us on Twitter and LinkedIn for more exclusive cybersecurity content.