Updated Malware Tied to Russian Hackers2 Hacking Groups Target Government Agencies
U.S Cyber Command and the Cybersecurity and Infrastructure Security Agency have issued warnings about two Russian hacking groups that are using updated malware to target government agencies around the world.
The first warning, issued Thursday, concerns recent updates to a malicious PowerShell script called ComRAT that is associated with a hacking group known as Turla. This group, also known as Snake, Venomous Bear and Waterbug, targets government and military agencies mainly in Europe, according to security analysts (see: Russian Hackers Revamp Malware, Target Governments: Report).
The second warning, also issued Thursday, concerns a backdoor dubbed Zebrocy, which has also undergone a recent revamp. While not spelled out in the government alerts, this malware has previously been associated with a Russian hacking group dubbed APT28, which is also known as Fancy Bear, Sofacy, Strontium and Tsar Team, according to security firm ESET (see: 'Fancy Bear' Hacking Group Adds New Capabilities, Targets).
APT28 targets government agencies, especially in the U.S., and is believed to be attempting to interfere in the upcoming Nov. 3 elections, according to security analysts (see: US Election Hack Attacks Traced to Russia, China, Iran).
On Tuesday, CISA and the FBI issued an alert about a North Korean-linked group called Kimsuky (see: Sizing Up Activities of North Korea's Kimsuky APT Group).
Turla and ComRAT
CISA and U.S. Cyber Command note that the Turla hacking group has revamped its ComRAT malware and that this malicious tool likely has been used against unnamed ministries of foreign affairs and a national parliament.
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and a national parliament.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB
This version of ComRAT, which the federal agencies call "version 4," is designed to target networks, exfiltrate data and plant other malware. It contains both 32-bit and 64-bit Dynamic Link Library modules that can be injected into a target victim's web browser. It then uses named pipes for inter-process communication between the operating system and shared resources to execute calls between the controller and the compromised devices that are hosting the malware, according to the alert.
"The named pipe is used to send Hypertext Transfer Protocol (HTTP) requests and receive HTTP responses to and from the communication module for backdoor commands," according to CISA. "It is designed to use a Gmail web interface to receive commands and exfiltrate data."
Besides the CISA and U.S. Cyber Command warnings, security firm Accenture published a report this week that noted Turla had recently revamped another backdoor called HyperStack as well as two remote access Trojans, as part of an ongoing campaign mainly targeting Europe.
In the alerts, CISA and U.S. Cyber Command noted that the Zebrocy backdoor, which has recently been revamped, has also been used to target ministries of foreign affairs and national parliaments as part of cyberespionage campaigns. The malware has been spotted during attacks in Eastern Europe and Central Asia.
"Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis," according to the CISA alert. "The file is designed to allow a remote operator to perform various functions on the compromised system."
The newer version of Zebrocy is written in the Golang programming language. Once installed on a device, it can collect information such as the system's username, other device identifiers and the time of the initial infection. Once this data is collected, it's encrypted and encoded before the malware sends the information to a command-and-control server.