Using Yandex.Disk as a C2 server to disguise itself1
In April 2022, during routine treat monitoring, PT Expert Security Center detected an attack on a number of Russian energy and media companies through a malicious document.
Analysis of the malware showed that the APT31 group was behind the attacks. Both campaigns contained identical snippets of code for harvesting information about network adapters and collecting data about the infected system; the document stubs bore clear similarities, and in both cases cloud servers were used to control the malware.
"An investigation of the tools showed that the attackers used Yandex.Disk as the C2 server. One reason why APT31 deployed a popular cloud service was to make the traffic look legitimate. Previously, the group had used the cloud service Dropbox in the same way. A similar technique for bypassing network security tools by means of a legitimate service was used by the TaskMasters group in its Webdav-O malware," said Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies.
The malware samples studied date from November 2021 to June 2022. All contain legitimate files whose main task is to transfer control to a malicious library using, for instance, DLL Side-Loading2, as well as to generate an initializing package to be sent to C2. A significant portion of the legitimate executable files identified was made up of some Yandex.Browser component and signed with a valid digital signature.
The analysis uncovered two new types of malware, which we named YaRAT (because it uses Yandex.Disk as the C2 server and has RAT3 functionality) and Stealer0x3401 (after the constant used to obfuscate4 the encryption key). In the case of YaRAT, a Yandex.Browser installer signed with a valid Yandex digital signature (or portable version) was used as a legitimate file vulnerable to DLL Side-Loading. The Stealer0x3401 malware employed the legitimate binary file dot1xtray.exe to load the malicious library msvcr110.dll.
"In 2021, we observed APT31 activity in Mongolia, Russia, the US, and other countries," noted Daniil. "The attacks we detected this year show similar infection and persistence techniques, numerous intersections within the code, as well as similar compilation tools. All this strongly suggests that the group is still operating and may continue its attacks on organizations in Russia."
According to Daniil, malware that uses Yandex.Disk in the role of C2 is extremely difficult to detect by network interaction: "In effect, it's normal legitimate traffic between client and service. Such malware can only be detected during runtime using monitoring tools, including antivirus technologies. That's why it's important to be proactive and teach employees about digital hygiene and about phishing techniques used by attackers. On top of that, companies should have a separate address where employees can send samples of any suspicious emails they receive and report them to infosec experts. And, of course, it's important to use antivirus products, sandboxes (for example, PT Sandbox), and EDR/XDR-class systems for threat detection and response," he added.
The full report is available on the Positive Technologies website.
- The server used to communicate with compromised systems in the victim's network.
- The cybercriminals can execute their own malicious payloads by loading DLLs (see the MITRE ATT&CK website for more details).
- Remote administration tool.
- Used to hinder analysis of the code or modify it during decompilation.
