EastWind Attack Unleashes Advanced Backdoor Malware

Lilu Anderson
Photo: Finoracle.net

Booby-Trapped LNK Files: The Gateway to Infection

The EastWind attack targets Russian government and IT organizations using a sophisticated spear-phishing campaign. This attack involves sending emails with RAR archive attachments containing Windows shortcut (LNK) files. When these files are opened, a sequence of infections begins, deploying malware such as GrewApacha and PlugY.

Understanding the Malware Deployed

GrewApacha

GrewApacha is a backdoor malware linked to the China-linked hacker group APT31. It uses an attacker-controlled GitHub profile to store encoded data about the command server (C2 server). Once activated, it can perform activities like data theft and system monitoring.

CloudSorcerer

This tool is used for cyber espionage, employing platforms like Microsoft Graph and Dropbox for stealth monitoring and data exfiltration. It uses legitimate websites such as LiveJournal and Quora as initial servers to avoid detection.

PlugY

PlugY, downloaded through CloudSorcerer, is a comprehensive backdoor that can execute various commands and communicate using multiple protocols. It shares similarities with the DRBControl malware linked to China-related hacker groups like APT27.

How the Attack Works

The attack begins with a booby-trapped LNK file that tricks the victim into triggering a malicious DLL file. This file uses Dropbox as a communication tool to execute commands and download more malicious software.

Additional Threat: CMoon Worm

Alongside the backdoors, the EastWind campaign involves a watering hole attack on a legitimate gas supply website. This delivers a worm named CMoon which steals sensitive data and performs DDoS attacks. It can also spread by copying itself onto USB drives.

Kaspersky’s Analysis and Findings

Kaspersky's analysis highlights that the EastWind attackers use popular network services like GitHub and Dropbox to hide their activities. They further reported on the CMoon worm's ability to collect data from web browsers, cryptocurrency wallets, and VPNs.

Key Takeaway: The EastWind attack demonstrates the growing sophistication of cyber threats, which utilize legitimate cloud services and advanced malware to carry out their operations.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.