Booby-Trapped LNK Files: The Gateway to Infection
The EastWind attack targets Russian government and IT organizations using a sophisticated spear-phishing campaign. This attack involves sending emails with RAR archive attachments containing Windows shortcut (LNK) files. When these files are opened, a sequence of infections begins, deploying malware such as GrewApacha and PlugY.
Understanding the Malware Deployed
GrewApacha
GrewApacha is a backdoor malware linked to the China-linked hacker group APT31. It uses an attacker-controlled GitHub profile to store encoded data about the command server (C2 server). Once activated, it can perform activities like data theft and system monitoring.
CloudSorcerer
This tool is used for cyber espionage, employing platforms like Microsoft Graph and Dropbox for stealth monitoring and data exfiltration. It uses legitimate websites such as LiveJournal and Quora as initial servers to avoid detection.
PlugY
PlugY, downloaded through CloudSorcerer, is a comprehensive backdoor that can execute various commands and communicate using multiple protocols. It shares similarities with the DRBControl malware linked to China-related hacker groups like APT27.
How the Attack Works
The attack begins with a booby-trapped LNK file that tricks the victim into triggering a malicious DLL file. This file uses Dropbox as a communication tool to execute commands and download more malicious software.
Additional Threat: CMoon Worm
Alongside the backdoors, the EastWind campaign involves a watering hole attack on a legitimate gas supply website. This delivers a worm named CMoon which steals sensitive data and performs DDoS attacks. It can also spread by copying itself onto USB drives.
Kaspersky’s Analysis and Findings
Kaspersky's analysis highlights that the EastWind attackers use popular network services like GitHub and Dropbox to hide their activities. They further reported on the CMoon worm's ability to collect data from web browsers, cryptocurrency wallets, and VPNs.
Key Takeaway: The EastWind attack demonstrates the growing sophistication of cyber threats, which utilize legitimate cloud services and advanced malware to carry out their operations.