Fresh ‘APT31’ Activity Surfaces, Including Russian Targets for the First Time Ever

  • APT31 has apparently expanded its targeting scope and now includes Russian entities.
  • The actors are using a powerful malware and dropper duo as well as spoofed websites.
  • The droppers feature a valid digital signature that’s most likely stolen from somewhere.

The Chinese hacking group tracked as ‘APT31’ (aka “Zirconium” or “Hurricane Panda”) last made headlines in February when researchers at Check Point figured that the actors were using malware tools that were based on leaked NSA code. Now, it is the security research team at Positive Technologies who has an update on the most recent activity of the Chinese hackers, having tracked several emails sent by the actors in the last couple of months, targeting government entities in the United States, Canada, Russia, Belarus, and Mongolia.

According to the report, this is the first time that APT31 is confirmed to be targeting Russian entities in the five years that it has been active. In 2020, the group focused on Europe-based companies and also public agencies in Finland, France, Germany, and Norway, but its interest has shifted again as it seems.

For Russia specifically, the sophisticated actors have set up a spoofing site on “inst.rsnet-devel[.]com”, which imitates the domain of Russia’s National Computer Incident Response & Coordination Center. This is a portal meant to collect reports about cyber-incidents from companies, provide aid and advice, and coordinate response operations. The servers infrastructure that Positive Technologies was able to map is given below.

Source: Positive Technologies

The malware that’s dropped onto the targets' systems is dropped through DLL sideloading in a newly created directory at “C:\ProgramData\Apacha”. It is noteworthy that the droppers are often signed with a valid digital signature that is most probably stolen.

Source: Positive Technologies

The malware itself is similar to what was used by the group in last year’s operations and supports the following commands:

  • Get information on mapped drives
  • Perform file search
  • Create a process, communication through the pipe
  • Create a process via ShellExecute
  • Create a new stream with a file download from the server
  • Search for a file or perform the necessary operation via SHFileOperationW (copy, move, rename, or delete file)
  • Create a directory
  • Create a new stream, sending the file to the server
  • Self-delete using a bat-file

Daniil Koloskov, a Senior Threat Analysis Specialist at Positive Technologies, states:

It is worth noting how cunning the malware developers were: in order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll

Latest
How to Watch With Love Season 2 Online from Anywhere
It looks like With Love Season 2 is promising fans romance, drama, and loads of surprises for the Diaz family, starting with...
How to Watch Britain’s Got Talent 2023 Online Free: Live Stream BGT Season 16 From Anywhere
Britain's Got Talent returns in 2023 with a brand new awesome season, and you’ll be able to stream the show online from...
How to Watch Shiny Happy People: Duggar Family Secrets Online – Stream the Docuseries from Anywhere
Shiny Happy People: Duggar Family Secrets is a new documentary series about The Duggar family and their 19 kids and counting. We...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari