For the first time, the US Cyber Command has discovered eight new malware, which were connected to Russia and target foreign affair ministries and national Parliament. These security threats have progresses in complexity, scope, and gravity, which put at risk billions of dollars when information security is not properly managed.
According to ZDNet, The Cybersecurity and Infrastructure Security Agency (CISA) with the Federal Bureau of Investigation's CyWatch published two security advisories on Thursday, October 30, describing the inner workings of ComRAT and Zebrocy. Also, the Cyber National Mission Force (CNMF) of US Cyber Command shared samples of the new versions of these two malware on the task force's VirusTotal account.
Malware formally linked to Russia
On October 30, the Slovak cyber-security firm ESET tweeted on October 30 that the FBI, CISA, and CYBERCOM have found a link of the Zebrocy and ComRAT malware to the cyber-espionage units of the Russian government.
Six out of the eight samples are ComRAT malware, which are used by the Turla hacking group while the other two are samples for the Zebrocy malware, that are used by the hacking group, APT28. These new malware samples were deployed by these Russian hackers in recent attacks. Turla and APT28 have both continuously enhanced these tools and add evasion techniques to keep these malware concealed.
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament.
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB — USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020
The recent US government revelations aims to advise the public about the recent versions of these hacking tools, so defenders and system administrators can make updates on their protective measures and add detection rules.
The Russian malware evolution
The joint US government cyber-security agencies published its advisory on Halloween as their way of greeting foreign cybercriminals on the holiday like how they usually do on other major holidays. The US Cyber Command said victims of both malware were identified in Eastern Europe and Central Asia.
Russia hacking groups have been using these two malware families for years. ComRAT has evolved from old Agent.BTZ malware is deployed for over a decade since 2008. An analysis made in 2015 showed the evolution of a Remote Administration Tool (RAT), now called as ComRAT, which has targeted extremely sensitive bodies, including the US Pentagon in 2008, the Belgium Ministry of Foreign Affairs in 2014 as well as the Finnish Ministry of Foreign Affairs.
In contrast, Zebrocy was used to target embassies and ministries of foreign affairs. In 2019, ESET researchers identified a new campaign launched by APT28, which targeted the embassies Eastern European and Central Asian countries, which seem to be their favorite victims.
Similarly, Accenture, a cyber-security vendor, also published its report about the recent Turla operations in a blog on its website earlier this week. Accenture's Cyber Threat Intelligence as Belugasturgeon has identified Turla, which targets government organizations through custom malware, which include updated legacy tools and designed to persistently keep through overlapping backdoor access while eluding the victim's defenses.
Accenture's identified a tool, called the HyperStack backdoor, which has undergone significant updates and was inspired by group's Carbon backdoor as well as the RPC backdoor.
Both ComRAT and Zebrocy are informally attributed based on reports created by privately-owned security vendors, but not in government advisories. However, US government agencies have not found any link of these malware strains on any of recent security events.
Related article: Parler, Gab, Other US Social Media Platforms Allegedly Linked to Russian Trolls
This is owned by Tech Times
Written by CJ Robles
