Monday, March 20, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

YoroTrooper Group Targets European, CIS Countries in Cyberespionage Campaigns

Researcher by Researcher
March 18, 2023
in Cybersecurity
0
YoroTrooper Group Targets European, CIS Countries in Cyberespionage Campaigns
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


For the last nine months, a previously unknown Russian-speaking threat actor has been targeting government, energy, and international organizations in Azerbaijan, Kyrgyzstan, Tajikistan, as well as European countries, with cyberespionage campaigns that employ a range of commodity and custom malware tools.

The campaigns are the work of a group that researchers from Cisco Talos have named YoroTrooper and they have been ongoing since at least June 2022. The threat actor uses phishing as the initial attack vector and tailors the emails and attachments to the specific target organization, setting up either typosquatting or lookalike domains for each target. YoroTrooper has compromised embassies of Turkmenistan and Azerbaijan, and also stole credentials from at least one account in a European health care agency. The group uses RATs and information stealer malware in its campaigns, but also has some custom Python implants in its arsenal.

Although there are some overlaps and links with some existing attack teams, including the PoetRAT group, Talos researchers assess that YoroTrooper is a separate entity running its own operations.

“Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts,” Asheer Malhotra and Vitor Ventura of Talos wrote in a post about the YoroTrooper campaigns.

“The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate.”

YoroTrooper uses several different tools in its intrusions, including the LodaRAT malware, which has been attributed to the Kasablanka cyber espionage group. LodaRAT is not a publicly available tool, but there are several individual groups using it. YoroTrooper also employs some custom Python malware, including a script designed to steal credentials from Google Chrome and a RAT that can exfiltrate data from a target system.

The typical intrusion begins with a phishing email and an attachment, which usually includes a malicious RAR or ZIP archive that contains an LNK file. The LNKs in turn download a remote HTA file.

“The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands,” the Talos analysis says.

The YoroTropper campaigns first surfaced in June 2022 and have evolved over time, both in terms of victims and tools.

“It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign,” the Talos post says.

The most recent YoroTrooper campaigns from January and February have targeted organizations in Uzbekistan and the group has evolved its tactics, sometimes deploying a Meterpreter payload or a custom keylogger.



Source link

Related articles

undetected since 2021 and resists firmware update

undetected since 2021 and resists firmware update

March 20, 2023
Sentra Raises $30 Million for DSPM Technology

New ‘Trigona’ Ransomware Targets US, Europe, Australia

March 20, 2023
Tags: CampaignsCIScountriescyberespionageEuropeanGrouptargetsYoroTrooper
Share76Tweet47

Related Posts

undetected since 2021 and resists firmware update

undetected since 2021 and resists firmware update

March 20, 2023
0

A possible Chinese attack campaign on compromised unpatched SonicWall SMA edge devices stayed undetected since 2021 and could persist even...

Sentra Raises $30 Million for DSPM Technology

New ‘Trigona’ Ransomware Targets US, Europe, Australia

March 20, 2023
0

A new ransomware family has proven highly active over the past several months, cybersecurity firm Palo Alto Networks warns. Dubbed...

Biden administration sees dangers in cloud, but users must protect perimeters

Biden administration sees dangers in cloud, but users must protect perimeters

March 19, 2023
0

Image: Maksym Yemelyanov/Adobe Stock President Joe Biden’s administration, as part of its recently released National Cybersecurity Strategy, said critical sectors...

Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder

Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder

March 19, 2023
0

Chinese technology giant Huawei has replaced thousands of product components banned by the United States with homegrown versions, its founder...

How to prevent data theft by existing and departing employees

How to prevent data theft by existing and departing employees

March 19, 2023
0

Some 12% of employees take customer details, health records, sales contracts and other confidential data when leaving a company, according...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
undetected since 2021 and resists firmware update

undetected since 2021 and resists firmware update

March 20, 2023
Sentra Raises $30 Million for DSPM Technology

New ‘Trigona’ Ransomware Targets US, Europe, Australia

March 20, 2023
What’s the Best Way to Sack People?

What’s the Best Way to Sack People?

March 20, 2023
Biden administration sees dangers in cloud, but users must protect perimeters

Biden administration sees dangers in cloud, but users must protect perimeters

March 19, 2023

Recent Posts

undetected since 2021 and resists firmware update

undetected since 2021 and resists firmware update

March 20, 2023
Sentra Raises $30 Million for DSPM Technology

New ‘Trigona’ Ransomware Targets US, Europe, Australia

March 20, 2023
What’s the Best Way to Sack People?

What’s the Best Way to Sack People?

March 20, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved