Positive Technologies: APT group targeting government agencies around the world detected in Russia for the first time

Positive Technologies Expert Security Center (PT ESC) revealed new attacks by APT31 and analyzed its new tool—a malicious software that allows criminals to control a victim’s computer or network by using remote access. Phishing, one of the most common social engineering techniques, was used by the group as the initial attack vector. According to PT ESC experts, more than a dozen malicious emails were sent around the world from January to July this year, and traces of the attackers were found in Mongolia, the United States, Canada, and the Republic of Belarus. Finally, the APT31 group, known for attacks on government agencies in various countries, has become active in Russia.

As part of a threat intelligence study, PT ESC experts detected emails with previously unseen malicious content sent to Mongolia. Then, similar attacks were detected in Russia, the United States, Canada, and the Republic of Belarus. A detailed analysis of the malware samples, as well as numerous overlaps in functionality, techniques, and mechanisms used—from the introduction of malicious code to the logical blocks and structures used—allowed Positive Technologies experts to attribute the detected samples to the APT31 group.

APT31 (also known as Hurricane Panda and Zirconium) has been active since at least 2016. Its key interests have been cyberespionage and collection of sensitive data of strategic importance. The group has a particular interest in the public sector around the world: at various times, its victims have been the government of Finland, and, presumably, the governments of Norway and Germany. A number of researchers suspect that APT31 is also behind a series of attacks on organizations and individuals close to U.S. presidential candidates during the 2020 election campaign. Other targets of the group include aerospace and defense companies, international financial companies, high-tech, telecom, and mass media.

While studying one of the latest malware samples used by the group, PT ESC experts detected a link to a phishing domain inst.rsnet-devel[.]com, which imitates the domain of federal government bodies and government bodies of the subjects of the Russian Federation for the Internet segment. According to PT ESC, the malicious domain is designed to mislead government officials and companies that work with government agencies.

Positive Technologies participates in exchange of incident-related data as part of the GosSOPKA system, coordinated by Russia’s National Computer Incident Response & Coordination Center (cert.gov.ru). As part of this initiative, Russian companies in industries under an increased risk will receive appropriate notifications from the Center.

Denis Kuvshinov, Head of Threat Analysis at Positive Technologies, comments: «Over the year, APT31 has added and started to actively use new versions of malware. The group’s infrastructure is also growing—all this, combined with the fact that the group has not previously attacked Russia, suggests that it is expanding to countries where its increasing activity can be detected, in particular our country. We believe that experts will soon reveal other tools used by the group, including in attacks against Russia, that can be identified by code or network infrastructure.»

In all the attacks analyzed by PT ESC from January to July 2021, APT31 used the same dropper. The study showed that its task was to create a malicious library and a vulnerable DLL Sideloading application on the infected computer. The application launched by the dropper calls one of the functions of the loaded malicious library, after which control is given to the malicious code.

Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies, explains: «The malware is a remote access Trojan (RAT), which allows an APT group to monitor and control the computers or the network of its victims. It is worth noting how cunning the malware developers were: in order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll.»

While analyzing malware samples, PT ESC specialists discovered different versions of droppers with the same set of functions. In some cases, such as in attacks in Mongolia, the dropper was signed with a valid digital signature. According to Positive Technologies, the signature was most likely stolen, which also indicates a high level of attackers’ qualification.

The PT Expert Security Center continues to monitor APT31 in Russia and other countries and does not expect the group to reduce its efforts in the coming months. According to the experts, a company can detect and counter such attacks using security information and event management (SIEM) systems, deep network traffic analysis (NTA) systems, and sandboxes. To lower the opportunities available for attackers, Positive Technologies recommends that companies add the indicators of compromise stated in the report to their security tools, and that their employees promptly notify information security experts of any spam emails received.