Hackers Use Fraudulent Windows Updates to Distribute RATs to The Russian Government Entities

As per the news, we came to know that hackers are spoofing emails posing as Windows security updates and other enticements to implant remote access virus on Russian government entities. The assaults are being carried out by a previously unknown APT (advanced persistent threat) group based in China, which has been linked to four spear-phishing operations.

Moreover, these activities took place between February and April 2022, during Russia’s invasion of Ukraine. Its targets have been Russian Federation government entities. The eventual purpose of the attacks in all 4 cases was to infiltrate the victims with a custom remote access trojan (RAT), which was most likely used for spying. The threat agents’ unique efforts to mimic other hacker groups and pass unnoticed were discovered by analysts at Malwarebytes Threat Intelligence.


About the Four Invasions

According to the sources, this is what we know about the four procedures that took place from February to April. The first of four campaigns linked to this new APT began in February 2022, just days after Russia invaded Ukraine, and distributed the RAT as “interactive map UA.exe.”

The APT had more time to produce something far more complex for the second wave. They used a tar.gz archive given by the Russian Federation’s Ministry of Digital Development, Telecommunications, and Mass Communications as a patch for the Log4Shell issue.

The third campaign is a spoof of Rostec, a Russian state-owned defense firm, in which the actors used freshly registered domains such as “Rostec.digital” and phony Facebook pages to spread malware that appeared to emanate from the real entity.

Ultimately, in April 2022, the Chinese hackers used a macro-infected Word document with a bogus job advertisement from Saudi Aramco, a major oil and gas company. Remote template injection was utilized to get the infected design and drop the VBS script onto candidates who have applied for the “Strategy and Growth Analyst” post.

Hackers Use Fraudulent Windows Updates to Distribute RATs to The Russian Government Entities

Reports from Malwarebytes

As per the sources, Malwarebytes said that the majority of the related emails were sent to employees of the RT TV station, a state-owned Russian television network. The emails contained a PDF with instructions for downloading the Log4j patch, as well as cautions about avoiding clicking or answering to fraudulent messages.

Furthermore, Malwarebytes was able to recover samples of the delivered malware among all four operations and discovered that it is the same DLL with alternative titles in each case. Control flow flattening using OLLVM and string obfuscation by XOR encoding are among the anti-analysis tactics used by the malware.