EastWind Cyber-Spy Campaign Combines Various Chinese APT Tools

  /     /     /  
Publicated : 23/11/2024   Category : security


EastWind Cyber-Spy Campaign Combines Various Chinese APT Tools


The likely China-linked campaign is deploying CloudSorcerer and other proprietary binaries belonging to known state-sponsored groups, showing how advanced persistent threat groups often collaborate with each other.



A likely China-nexus threat actor is using popular cloud services such as Dropbox, GitHub, Quora, and Yandex as command-and-control (C2) servers in a new cyber espionage campaign targeting government organizations in Russia.
Researchers at Kaspersky are tracking the campaign as EastWind, after uncovering it while investigating devices that had been infected via phishing emails with malicious shortcuts attachments.
Kasperskys analysis showed the malware was communicating with and receiving commands from a C2 server on Dropbox. The researchers also found the attackers using the initial payload to download additional malware associated with two different China-sponsored groups — APT31 and APT27 — on infected systems. In addition, the threat actor used the C2 servers to download a newly modified version of
CloudSorcerer,
a sophisticated cyber espionage tool that Kaspersky spotted a new, eponymously named group using in attacks earlier this year that also targeted Russian government entities.
Kaspersky has perceived the use of tools from different threat actors in the EastWind campaign as a sign of how APT groups often collaborate and share malware tools and knowledge with each other.
In attacks on government organizations, threat actors often use toolkits that implement a wide variety of techniques and tactics, Kaspersky researchers said in a
blog post
this week. In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic.
APT31 is an advanced persistent threat group that US officials have identified as working on behalf of Chinas Ministry of State Security in Wuhan. Earlier this year, the US Department of Justice
indicted seven members of the group
for their role in cyber-spy campaigns that victimized thousands of entities globally, over a period spanning 14 years.
Mandiant
, one of several security vendors tracking APT31 has described the threat actors mission as gathering information from rival nations that could be of economic, military, and political benefit to China. The groups most frequent targets have included government and financial organizations, aerospace companies and entities in the defense, telecommunication, and high tech sectors.
APT27
, or Emissary Panda, is another China-linked goal engaged in the theft of intellectual property from organizations in sectors that China perceives as being of vital strategic interest. Like APT31, the group has relied heavily on malware delivered via phishing emails for initial access.
Kaspersky did not tie either group specifically to the new EastWind campaign that it spotted targeting Russian government entities, but pointed out that it had observed the use of both groups malware in the attacks.
Kaspersky has dubbed the APT31 malware that the threat actor behind EastWind is using in its campaign as GrewApacha, a Trojan that APT31 has been using since at least 2021. The security vendor observed the threat actor behind the EastWind campaign using GrewApacha to collect information about infected systems and to install additional malicious payloads on them. The adversary meanwhile has been using the aforementioned CloudSorcerer — a backdoor that the attacker executes manually — to download PlugY, an implant with code that overlaps with APT27.
Kaspersky found the implant communicating with the the Dropbox hosted C2 servers via the TCP and UDP protocols and via named pipes — a Windows method for inter process communications. The set of commands this implant can handle is quite extensive, and implemented commands range from manipulating files and executing shell commands to logging keystrokes and monitoring the screen or the clipboard, Kaspersky said.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EastWind Cyber-Spy Campaign Combines Various Chinese APT Tools