A recent study conducted by Positive Technologies discovered new attacks carried out by APT Cybercriminal Group targeting many government agencies across the globe.
The Positive Technologies Expert Security Center (PT ESC) recently revealed new attacks carried out by APT31 and the tools they used. The cybercriminal group installed malicious software that enables criminals to control a victim’s computer or network using remote access. The firm discovered that the group utilized phishing as the initial attack vector.
As per PT ESC experts, the group sent over a dozen malicious emails around the world between January to July 2021, and traces of the attackers were found in the United States, Canada, Mongolia, and Republic of Belarus. And now, the group known for its attacks against government agencies across various countries, has become active in Russia.
PT ESC experts detected emails with previously unseen malicious content sent to Mongolia. They found similar attacks carried out in the United States, Canada, the Republic of Belarus and Russia. Before attributing the attacks to the APT31 group, Positive Technologies experts performed a detailed analysis of the malware samples and numerous overlaps in functionality, mechanism and techniques.
Also Read: Four Common Biases CISOs Need to Avoid
Active since 2016, APT31’s key interest is in cyber espionage and collection of confidential data of strategic importance. The group’s interest in the public sector was discovered after it added the governments of Finland, Norway and Germany to its list of victims. Several researchers suspect that the group also carried out a series of attacks on businesses and individuals who were connected to the U.S. presidential candidates during the 2020 election campaign.
While studying the group’s latest malware samples, the PT ESC experts found a link to the phishing domain inst.rsnet-devel[.].com. It imitates the domain of federal government bodies as well as government bodies of the subjects of the Russian Federation for the Internet segment. Such malicious domain is designed to mislead government officials and companies that work with government agencies.
In recent years, APT31 has added and started to actively use new versions of malware.
In all the attacks analyzed by PT ESC between January to July 2021, the group has used the same dropper. The study also found that the dropper’s task was to create a malicious library and a vulnerable DLL Sideloading application on the infected computer. The malware used by APT group is a remote access Trojan (RAT) that allows it to monitor and control its victims’ computers or the networks. To make the library look like the original one, criminals named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll
The PT Expert Security Center continues to monitor APT31 in Russia as well as other countries. It believes that the group won’t reduce its efforts in the coming months. The experts believe enterprises can detect and counter such attacks using security information and event management (SIEM) systems, deep network traffic analysis (NTA) systems, and sandboxes.
The attack of APTs on government agencies is also an alarming sign for enterprises across the globe as the breach of the country’s security can significantly hamper their security. To reduce the chances of attacks, enterprises should add indicators of compromise in their security solutions. Furthermore, they should enhance their security awareness programs for their employees so that they will notify spam emails received or other threats to the information security teams.
For more such updates follow us on Google News ITsecuritywire News.