YoroTrooper targets government organizations with espionage campaigns

SISA Weekly Threat Watch - 27 March 2023

From using fake antivirus scans and installing customized malware to launching targeted espionage campaigns and mining cryptocurrency, this past week saw threat actors leveraging new and evolved techniques to launch cyber-attacks against businesses. While some severe vulnerabilities necessitated immediate patches and updates to software solutions, others required security teams relying on anti-malware or anti-phishing solutions, as well as threat intelligence platforms, to prevent such threats from affecting their systems.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CVE-2023-23397 – Microsoft Outlook critical vulnerability

A critical Microsoft Outlook for Windows vulnerability (CVE-2023-23397) that enables remote password hash theft by just receiving an email has been disclosed by security experts. All Windows versions of Microsoft Outlook are impacted by the 9.8 severity-rated privilege escalation vulnerability.

As exploitation occurs while Outlook is open and the reminder is triggered on the system, there is no requirement for user interaction. The extended MAPI property “PidLidReminderFileParameter” can be included in a task, calendar invitation, or email message that has been specifically crafted by an attacker. An attacker can exploit the user’s Net-NTLMv2 hash to launch NTLM Relay attacks against other systems because of a vulnerable system sending the user’s hash to others. It is strongly advised to prioritize patching CVE-2023-23397 and to use Microsoft’s script to check for signs of exploitation by verifying if messaging items in Exchange come with a UNC path.

2. YoroTrooper espionage campaign targeting government organizations

A threat actor identified as “YoroTrooper” has conducted several espionage campaigns targeting government organizations and energy companies in Azerbaijan, Kyrgyzstan, and Tajikistan. Other targets also include government and energy organizations in the Commonwealth of Independent States (CIS), a health care agency in the European Union and the World Intellectual Property Organization (WIPO).

YoroTrooper uses a variety of tools, such as customized malware, standard RATs, and stealers. It makes use of the commercially available tool Stink Stealer, open-source project Lazagne, and custom scripts to steal credentials. Python installation on the compromised machine is not required because the payload is delivered and run as a standalone application using tools like PyInstaller or Nuitka. Enterprises are advised to adopt anti-phishing solutions at the endpoints and keep their applications and antivirus software up to date to protect against such attacks.

3. Winter Vivern APT hackers use fake antivirus scans to install malware

Winter Vivern, also identified as UAC-0114, was discovered last month after the Computer Emergency Response Team of Ukraine (CERT-UA) revealed a new malware campaign aimed at state authorities in Poland and Ukraine to propagate the malware known as Aperetif. The APT uses Windows batch files to masquerade as antivirus scanners while really downloading malicious payloads. The Aperetif malware can take snapshots, automatically scan and exfiltrate files, and send all data in base64-encoded form to a hardcoded command and control server URL (marakanas[.]com).

The malware beacons connect to the C2 using PowerShell in both cases, which overlap in their deployment, and they wait for instructions or additional payloads. The threat actor uses a variety of strategies that are specifically catered to the needs of the targeted organization, such as phishing websites, credential phishing, and the distribution of malicious documents. To prevent such attacks, it is recommended to provide user education into common phishing tactics and emerging cybersecurity risks and vulnerabilities.

4. Emotet malware now distributed in Microsoft OneNote files to evade defenses

With an aim to bypass Microsoft security restrictions and infect more targets, Emotet botnet is back after 3 months of inactivity, distributing malware using Microsoft OneNote email attachments. The attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more. The threat actors have hidden a malicious VBScript file called ‘click.wsf'(contains a heavily obfuscated script) underneath the “View” button which when double-clicked downloads a DLL from a remote, likely compromised, website and then executes it.

While Microsoft OneNote displays a warning when a user attempts to launch an embedded file in OneNote, history has shown that many users commonly click the ‘OK’ button to get rid of the alert. As a result, Emotet malware gets downloaded as a DLL and quietly runs on the device, stealing email, contacts, and awaiting further commands from the command-and-control server. To avoid data compromise, Windows admins can configure group policies to protect against malicious Microsoft OneNote files. Admins can use these group policies to either block embedded files in Microsoft OneNote altogether or allow users to specify file extensions that should be blocked from running.

5. Cryptojacking group TeamTNT suspected of using decoy miner to conceal data exfiltration

An unidentified malware variant that mine the cryptocurrency Monero on hijacked Desktop computers is thought to have been developed by the cryptojacking group TeamTNT. The initial stage of the attack used a cryptocurrency miner whose TTPs are consistent with the usual attack strategy implemented by TeamTNT. Researchers discovered an XMR configuration file (config background.json) on VirusTotal that shared the same IOCs as the SCARLETEEL primary season miner sample.

It seems to be a brand-new infrastructure for a new campaign because the domain name used as the C2 (DonaldTrump[.]cc) was never used in any malicious campaign. Researchers were unable to conclusively link the two infections despite their similarities. To reduce the potential attack surface and prevent lateral movement in the cloud, it is recommended that businesses take additional measures such as conducting frequent audits and securing vulnerable applications.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider