Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Researchers Shed Light on APT31’s Advanced Backdoors and Data Exfiltration Tactics

    justmattgBy justmattgAugust 11, 2023No Comments3 Mins Read

    [ad_1]

    Aug 11, 2023THNMalware / Cyber Attack

    Backdoors and Data Exfiltration Tactics

    The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox.

    The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe in 2022.

    “The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems,” Kaspersky said in an analysis spotlighting APT31’s previously undocumented tradecraft.

    Cybersecurity

    The intrusions employ a three-stage malware stack, each focused on disparate aspects of the attack chain: setting up persistence, gathering sensitive data, and transmitting the information to a remote server under the attackers’ control.

    Some variants of the second-stage backdoors also come with features designed to look up file names in the Microsoft Outlook folder, execute remote commands, and employ the third-step component to complete the data exfiltration step in the form of RAR archive files.

    “The first step is used for persistence, the deployment and startup of the second-step malware module, which is responsible for uploading the files collected to the server by calling the third-step implant and cleaning up,” the Russian cybersecurity firm said.

    In what’s a novel twist, APT31 is said to have used a command-and-control (C2) inside the corporate perimeter and leveraged it as a proxy to siphon data from systems that lacked direct access to the internet, indicating clear attempts to single out air-gapped hosts.

    Cybersecurity

    Kaspersky said it also spotted additional tools used by the attacker to manually upload the data to Yandex Disk and other temporary file-sharing services such as extraimage, imgbb, imgshare, schollz, and zippyimage, among others. A third similar implant is configured to send the data via the Yandex email service.

    The findings highlight the meticulous planning and the ability of the threat actor to adapt and spin up new capabilities in their cyber espionage pursuits.

    “Abusing popular cloud-based data storages may allow the threat actor(s) to evade security measures,” the company said. “At the same time, it opens up the possibility for stolen data to be leaked a second time in the event that a third party gets access to a storage used by the threat actor(s).”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleMicrosoft Expands Cloud Security Posture Management to Google Cloud
    Next Article XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑