Hackers Use Fraudulent Windows Updates to Distribute RATs to The Russian Government Entities

As per the news, we came to know that hackers are spoofing emails posing as Windows security updates and other enticements to implant remote access virus on Russian government entities. The assaults are being carried out by a previously unknown APT (advanced persistent threat) group based in China, which has been linked to four spear-phishing operations.

Moreover, these activities took place between February and April 2022, during Russia’s invasion of Ukraine. Its targets have been Russian Federation government entities. The eventual purpose of the attacks in all 4 cases was to infiltrate the victims with a custom remote access trojan (RAT), which was most likely used for spying. The threat agents’ unique efforts to mimic other hacker groups and pass unnoticed were discovered by analysts at Malwarebytes Threat Intelligence.

 

About the Four Invasions

According to the sources, this is what we know about the four procedures that took place from February to April. The first of four campaigns linked to this new APT began in February 2022, just days after Russia invaded Ukraine, and distributed the RAT as “interactive map UA.exe.”

The APT had more time to produce something far more complex for the second wave. They used a tar.gz archive given by the Russian Federation’s Ministry of Digital Development, Telecommunications, and Mass Communications as a patch for the Log4Shell issue.

The third campaign is a spoof of Rostec, a Russian state-owned defense firm, in which the actors used freshly registered domains such as “Rostec.digital” and phony Facebook pages to spread malware that appeared to emanate from the real entity.

Ultimately, in April 2022, the Chinese hackers used a macro-infected Word document with a bogus job advertisement from Saudi Aramco, a major oil and gas company. Remote template injection was utilized to get the infected design and drop the VBS script onto candidates who have applied for the “Strategy and Growth Analyst” post.

Hackers Use Fraudulent Windows Updates to Distribute RATs to The Russian Government Entities

Reports from Malwarebytes

As per the sources, Malwarebytes said that the majority of the related emails were sent to employees of the RT TV station, a state-owned Russian television network. The emails contained a PDF with instructions for downloading the Log4j patch, as well as cautions about avoiding clicking or answering to fraudulent messages.

Furthermore, Malwarebytes was able to recover samples of the delivered malware among all four operations and discovered that it is the same DLL with alternative titles in each case. Control flow flattening using OLLVM and string obfuscation by XOR encoding are among the anti-analysis tactics used by the malware.




Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More