Kaspersky researchers discover Russian cyber espionage against Russia

Steganography-transmitted malware has been used to spy on industrial targets in Russia.

A recently discovered attack sheds light on how cyber espionage can be used not only for the interests of the nation-state, but also for potentially competitive or other espionage purposes.

Researchers at Moscow-based Kaspersky Company discovered and analyzed a cyberattack campaign they called MontysThree.

The global industrial sector has had its share of malware infections, both targeted and undirected, for several years. Attacks on corporate technology networks have increased, and according to a new survey by industrial security firm Claroty, about 56% of industrial sector organizations around the world have experienced more cyber threats during the COVID-19 pandemic.

MontysThree, apparently unconnected to the threat groups Kaspersky currently tracks, uses relatively unusual techniques in its attack campaign, including steganography, a sophisticated method of hiding malware behind images, and a relatively cumbersome HTTP Remote Access communication method. via remote desktop protocol. The group also put a false flag in the code of some of their email files to appear as a Chinese-speaking actor.

Loader malware disguised as steganography in phishing email uses a bitmap file to hide the malware. Decoys are SFX RAR files that contain employee contact names, documentation, and medical results.

Steganography is an old but rarely used obfuscation method and it is not easy to use. Legezo believes that the attackers attempted to sneak past IDS / IPS tools on victimized networks by hiding the malware behind seemingly innocent image files.

MontysThree encrypts user data and primarily searches for Microsoft and Adobe Acrobat files. At the same time, the usual spying tasks of gathering information about the configuration and characteristics of the target computers are performed. Attackers store your stolen files on public cloud services like Google, Microsoft, and Dropbox to camouflage their activities and avoid alarms from security tools.

MontysThree also uses an interesting method for remote access communication instead of incorporating communication protocols into the malware.

Attackers also use Citrix clients: "Citrix communication proceeds in the same way: the malware does not implement the protocol, but looks for Windows Quick Launch .lnk for XenApp pnagent.exe, runs Internet Explorer remotely and communicates with it at via the Clipboard with special keyboard shortcuts, ”says Kaspersky's whitepaper on the attack.

They were also discovered in other errors by novice attackers: connecting to RAM and files at the same time and storing the encryption keys in the same file.

Despite this, Legezo believes that MontysThree is still fine-tuning and polishing its attack frame and is therefore following the group closely.