Fresh ‘APT31’ Activity Surfaces, Including Russian Targets for the First Time Ever

  • APT31 has apparently expanded its targeting scope and now includes Russian entities.
  • The actors are using a powerful malware and dropper duo as well as spoofed websites.
  • The droppers feature a valid digital signature that’s most likely stolen from somewhere.

The Chinese hacking group tracked as ‘APT31’ (aka “Zirconium” or “Hurricane Panda”) last made headlines in February when researchers at Check Point figured that the actors were using malware tools that were based on leaked NSA code. Now, it is the security research team at Positive Technologies who has an update on the most recent activity of the Chinese hackers, having tracked several emails sent by the actors in the last couple of months, targeting government entities in the United States, Canada, Russia, Belarus, and Mongolia.

According to the report, this is the first time that APT31 is confirmed to be targeting Russian entities in the five years that it has been active. In 2020, the group focused on Europe-based companies and also public agencies in Finland, France, Germany, and Norway, but its interest has shifted again as it seems.

For Russia specifically, the sophisticated actors have set up a spoofing site on “inst.rsnet-devel[.]com”, which imitates the domain of Russia’s National Computer Incident Response & Coordination Center. This is a portal meant to collect reports about cyber-incidents from companies, provide aid and advice, and coordinate response operations. The servers infrastructure that Positive Technologies was able to map is given below.

Source: Positive Technologies

The malware that’s dropped onto the targets' systems is dropped through DLL sideloading in a newly created directory at “C:\ProgramData\Apacha”. It is noteworthy that the droppers are often signed with a valid digital signature that is most probably stolen.

Source: Positive Technologies

The malware itself is similar to what was used by the group in last year’s operations and supports the following commands:

  • Get information on mapped drives
  • Perform file search
  • Create a process, communication through the pipe
  • Create a process via ShellExecute
  • Create a new stream with a file download from the server
  • Search for a file or perform the necessary operation via SHFileOperationW (copy, move, rename, or delete file)
  • Create a directory
  • Create a new stream, sending the file to the server
  • Self-delete using a bat-file

Daniil Koloskov, a Senior Threat Analysis Specialist at Positive Technologies, states:

It is worth noting how cunning the malware developers were: in order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll

How to Watch Berlin Marathon 2023 Online Free from Anywhere
The iconic Berlin Marathon is back for another enthralling edition. Thousands of athletes will be vying to come out on top in...
How to Watch Amazing Railway Adventures with Nick Knowles Season 2 Online from Anywhere
Amazing Railway Adventures with Nick Knowles Season 2 is a new set of travels where Nick Knowles visits several destinations by train...
Indian Grand Prix Live Stream 2023: How to Watch MotoGP Online from Anywhere
MotoGP debuts in India this week, and there is great excitement ahead of what should be an enthralling Indian Grand Prix. This...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari