The first instance of the malware was detected in 2022 in a highly targeted attack aimed at exfiltrating data from foreign government institutions in Kazakhstan. Researchers observed another attack in Afghanistan.
“The domain and IP addresses involved do not appear in any previously documented incidents, and the malware does not share any code similarities with previously known malicious software,” Bitdefender said in its research.
The researchers say that the attack highlights the sophistication of a modern cyberattack. “Cybercriminals are finding new methods for making their attacks more reliable,” the research said.
Based on the specific targets of the attacks, the document metadata impersonating a real diplomat, and the primary focus being on data exfiltration, researchers believe that a state-sponsored group is responsible for these incidents. While the attacks have not been attributed to any specific threat actor, it is likely that a Russian group is responsible for the attacks.
“One clue pointing at the origin of the attack is the use of a cracked version of Microsoft Office 2016 popular in Russian-speaking countries (known as “SPecialisST RePack” or “Russian RePack by SPecialiST”), Bitdefender said in its report, adding that it is also unusual to see the same backdoor written in two languages. This practice was previously observed with group APT28 (Russia-based) with their backdoor Zebrocy.
It is likely that the initial access method used by the group is phishing emails.
Initial access gained through social engineering
Researchers say that most likely the threat actors used social engineering techniques to deliver a spear-phishing email with a malicious payload as the initial access vector.
“The attack used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document,” Bitdefender said.
When the victim opens the attachment two files are downloaded, a lure document that’s displayed to the victim and a malicious HTML application with the embedded code that runs in the background. The payload is designed to establish communication with the command-and-control servers.
“The download of the next stage failed, and we have not been able to retrieve the payload from the command and control (C2) server. Based on our analysis of similar attacks, we expect threat actors tried to download backdoor to establish persistence,” Bitdefender said in the report.
Exfiltration of data
Upon execution, DownEx moves laterally across local and network drives to extract files from Word, Excel, and PowerPoint documents, images and videos, compressed files, and PDFs. It also looks for encryption keys and QuickBooks log files.
DownEx exfiltrates data using a password-protected zip archive, limiting the size of each archive to 30 MB. In some cases multiple archives were exfiltrated, the researchers observed.
“This is a fileless attack – the DownEx script is executed in memory and never touches the disk,” Bitdefender said.
To prevent attacks like this, researchers advise organisations to focus on implementing a combination of cybersecurity technologies to harden their security posture.
“Technologies such as advanced malware detection with machine learning that can identify malicious scripts, email filtering, sandbox for the detonation of suspicious files, network protection that can block C2 connections, and detection and response capabilities that extend beyond the endpoints to networks,” Bitdefender said in the report.
Rise in Russia-based malware
Post Russia’s invasion of Ukraine in 2022, the cyberespionage activities from Russia on Ukraine and countries that support Ukraine have significantly intensified.
Governments are also trying to actively disrupt these activities and prevent state-sponsored groups from carrying out the attacks.
The news of the new malware strain involved in cyberespionage comes a day after the US announced that it had disrupted one of the most sophisticated malware sets used by the Russian intelligence services, Snake malware.
The US government attributes the Snake malware to the Turla unit within Center 16 of the Federal Security Service of the Russian Federation (FSB). The Turla unit has used several versions of Snake malware in the last 20 years to steal sensitive documents from hundreds of computer systems across at least 50 countries. Its targets included governments, journalists, and other targets of interest to the Russian Federation including the NATO nations.