Unknown APT group is targeting Russian government entities

An unknown APT group is targeting Russian government entities since the beginning of the Russian invasion of Ukraine.

Researchers from Malwarebytes observed an unknown Advanced Persistent Threat (APT) group targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Russian invasion of Ukraine.

The threat actors behind the attacks aimed at implanting a Remote Access Trojan (RAT) to gain full control over the infected systems.

In the first campaign, attackers distributed a custom malware disguised as an interactive map of Ukraine (interactive_map_UA.exe).

In the second campaign that started in March the threat actor packaged its custom malware in a tar archive named Patch_Log4j.tar.gz, the attackers disguised the malicious code as an updates for the Log4j vulnerability. This campaign primarily targeted RT TV employees.

In the third campaign, threat actors targeted the Rostec defense conglomerate, the phishing messages used build_rosteh4.exe for its malware.

The fourth campaign took place in mid-April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at the Saudi Arabian public petroleum and natural gas company Saudi Aramco as a lure.

Experts attributed the attacks, with low confidence, to a China-linked APT group.

“Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.” concludes the report. “All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Unknown APT group)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.