A previously unknown threat actor has been identified as spying on CIS (Commonwealth of Independent States) entities.
Dubbed YoroTrooper by the Cisco Talos team, the attackers primarily targeted government agencies and energy organizations in Azerbaijan, Tajikistan, and Kyrgyzstan.
“YoroTrooper has also confirmed compromised accounts from at least two international bodies, a significant European Union (EU) medical institution and the World Intellectual Property Organization (WIPO),” said an advisor published earlier today. Read Li.
According to this blog post written by Cisco Talos security researchers Vitor Ventura and Asheer Malhotra, the information stolen during the attack included credentials from multiple applications, browser history and cookies, system information and A screenshot was included.
“YoroTrooper’s main tools include Python-based, custom-built, open-source information stealers such as the Nuitka framework and the Stink stealer wrapped in an executable via PyInstaller,” Ventura and Malhotra said. I will explain.
Additionally, YoroTrooper used various commodity malware tools such as AveMaria/Warzone RAT, LodaRAT, and Meterpreter to perform remote access operations.
Regarding the infection chain, the Cisco Talos team said that YoroTrooper relies on phishing emails with file attachments. This email is typically an archive consisting of her two files, a shortcut file (LNK) and a decoy PDF file.
The shortcut file was the initial trigger for the infection and the PDF was the lure to make the infection look legitimate.
Learn more about shortcut files here: Are you losing the war against ransomware?
“To trick victims, attackers register malicious domains and then generate subdomains, or register typo-squatting domains that resemble legitimate domains from CIS entities to create malicious domains. It hosts an artifact.”
Ventura and Malhotra added that the operators behind this threat group speak Russian, but are not necessarily based in that country or Russian citizens (given the CIS victimology). The motives behind the attacks are mostly related to information gathering and espionage.
“Custom-built Python-based RAT [used by YoroTrooper] It’s relatively simple,” explains Cisco Talos. “Using Telegram as a medium for C2 communications and information exfiltration. [and] It includes the ability to execute arbitrary commands through the bot and upload files of interest to the Telegram channel. ”
The Cisco Talos advisory comes a few weeks after Symantec security researchers discovered another Russian-speaking stealer dubbed “Graphiron.”
