EastWind Attack Deploys PlugY and GrewApacha Backdoors Using Booby-Trapped LNK Files
The Russian government and IT organizations are the target of a new campaign that delivers a number of backdoors and trojans as part of a spear-phishing campaign codenamed EastWind.
The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut (LNK) file that, upon opening, activates the infection sequence, culminating in the deployment of malware such as GrewApacha, an updated version of the CloudSorcerer backdoor, and a previously undocumented implant dubbed PlugY.
PlugY is “downloaded through the CloudSorcerer backdoor, has an extensive set of commands and supports three different protocols for communicating with the command-and-control server,” Russian cybersecurity company Kaspersky said.
The initial infection vector relies on a booby-trapped LNK file, which employs DLL side-loading techniques to launch a malicious DLL file that uses Dropbox as a communications mechanism to execute reconnaissance commands and download additional payloads.
Among the malware deployed using the DLL is GrewApacha, a known backdoor previously linked to the China-linked APT31 group. Also launched using DLL side-loading, it uses an attacker-controlled GitHub profile as a dead drop resolver to store a Base64-encoded string of the actual C2 server.
CloudSorcerer, on the other hand, is a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. Like in the case of GrewApacha, the updated variant leverages legitimate platforms like LiveJournal and Quora as an initial C2 server.
“As with previous versions of CloudSorcerer, profile biographies contain an encrypted authentication token to interact with the cloud service,” Kaspersky said.
Furthermore, it utilizes an encryption-based protection mechanism that ensures the malware is detonated only on the victim’s computer by using a unique key that’s derived from the Windows GetTickCount() function at runtime.
The third malware family observed in the attacks in PlugY, a fully-featured backdoor that connects to a management server using TCP, UDP, or named pipes, and comes with capabilities to execute shell commands, monitor device screen, log keystrokes, and capture clipboard content.
Kaspersky said a source code analysis of PlugX uncovered similarities with a known backdoor called DRBControl (aka Clambling), which has been attributed to China-nexus threat clusters tracked as APT27 and APT41.
“The attackers behind the EastWind campaign used popular network services as command servers – GitHub, Dropbox, Quora, as well as Russian LiveJournal and Yandex Disk,” the company said.
The disclosure comes Kaspersky also detailed a watering hole attack that involves compromising a legitimate site related to gas supply in Russia to distribute a worm named CMoon that can harvest confidential and payment data, take screenshots, download additional malware, and launch distributed denial-of-service (DDoS) attacks against targets of interest.
The malware also collects files and data from various web browsers, cryptocurrency wallets, instant messaging apps, SSH clients, FTP software, video recording and streaming apps, authenticators, remote desktop tools, and VPNs.
“CMoon is a worm written in . NET, with wide functionality for data theft and remote control,” it said. “Immediately after installation, the executable file begins to monitor the connected USB drives. This allows you to steal files of potential interest to attackers from removable media, as well as copy a worm to them and infect other computers where the drive will be used.”