Since the events of the Russo-Ukrainian war, a new and unknown advanced persistent threat (APT) group has been linked to several spear-phishing attacks. These attacks have been focusing on Russian government entities.
According to a technical report by Malwarebytes, a Remote Access Trojan (RAT) has been monitoring infected computers and running commands remotely on them.
The cybersecurity company suspects the culprit to be a Chinese hacking group due to similarities between RAT and the Sakula Rat malware used by Deep Panda.
The Malware Was Created Before the Russo-Ukrainian War
The spear-phishing attacks deploying the new malware began around February 26 – a couple of days after Russia’s military attack on Ukraine. The emails distributing the malware disguised as interactive maps of Ukraine – “interactive_map_UA.exe.”
The second wave of attacks started in early March and targeted the state-controlled RT TV. It used the rogue software fix for the Log4Shell vulnerability, which made headlines in late 2021. This development showcases how threat actors adapt their attacks based on world events to boost their success.
The malware came within a patch as a compressed TAR file. The email message also contained a PDF file with instructions about best cybersecurity practices to look more authentic and make victims let their guards down. In a funny twist of events, the malware mail also advised the reader to refrain from opening or replying to suspicious emails.
It was not the only way email attempted to gain authenticity.
The PDF file also contained a VirusTotal URL. It pointed to an unrelated file to give viewers the false impression that the Log4j patch file isn’t malicious.
Moreover, the fraudulent email also included links to an attacker-controlled domain, “rostec[.]digital”. Several fake Facebook and Instagram profiles alluded to the Russian defense conglomerate. The threat actor created the fake Facebook page in June 2021 – nine months before it targeted Russian government entities. Nine months before the invasion of Ukraine.
The Elusive Hackers
The cybercriminals used another malicious executable file in their attacks, namely the “build_rosteh4.exe.” Researchers concluded it was an attempt to pass off the malware as though it belonged to Rostec. A Microsoft Word document acted as a trigger for the infection sequence to deploy the RAT malware.
In mid-April 2022, the cybercriminals also pivoted a job-themed phishing bait. The email pretended to come from Suadi Aramco, one of Saudi Arabia’s petroleum and natural gas companies.
The way these cybercriminals work and use the malware coincides with another hacker group. Research conducted by Check Point reveals that a Chinese adversarial collective with connections to Stone Panda and Mustang Panda targeted at least two Russian research institutions. They managed to infiltrate the system by a previously unknown backdoor called Spinner.
How to Stay Safe Online
It’s normal to feel uneasy while browsing the internet when there are so many cyber attacks nowadays. However, many methods can boost your cybersecurity defenses for your home or business.
- Use security software. Firewalls filter network traffic and could block a potentially malicious attack. Meanwhile, antivirus scans all the downloads to make sure they are safe.
- Learn to recognize phishing attacks. It will help you avoid clicking on suspicious links or downloading infected files.
- Protect your IP address. Sometimes cybercriminals need your IP to wreak havoc on your computer. You may be wondering, “what is my IP address?” It is your unique internet address that identifies your device on the web. Many people use security tools to hide their real IP, and you should do the same.
- Use two-factor authentication techniques. If a password is weak or exposed online, it’s your second defense against hackers.
- Don’t use administrator privileges on your computer. If you do, the malware will also have administrator privileges when you get infected. It can do a lot less damage without them.
- Update your software and OS continually. Any outdated software can potentially have security flaws. Hackers can use this to their advantage.