Security News > 2024 > August > EastWind Attack Deploys PlugY and GrewApacha Backdoors Using Booby-Trapped LNK Files

The Russian government and IT organizations are the target of a new campaign that delivers a number of backdoors and trojans as part of a spear-phishing campaign codenamed EastWind.

The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut file that, upon opening, activates the infection sequence, culminating in the deployment of malware such as GrewApacha, an updated version of the CloudSorcerer backdoor, and a previously undocumented implant dubbed PlugY. PlugY is "Downloaded through the CloudSorcerer backdoor, has an extensive set of commands and supports three different protocols for communicating with the command-and-control server," Russian cybersecurity company Kaspersky said.

The initial infection vector relies on a booby-trapped LNK file, which employs DLL side-loading techniques to launch a malicious DLL file that uses Dropbox as a communications mechanism to execute reconnaissance commands and download additional payloads.

Among the malware deployed using the DLL is GrewApacha, a known backdoor previously linked to the China-linked APT31 group.

The third malware family observed in the attacks in PlugY, a fully-featured backdoor that connects to a management server using TCP, UDP, or named pipes, and comes with capabilities to execute shell commands, monitor device screen, log keystrokes, and capture clipboard content.

The disclosure comes Kaspersky also detailed a watering hole attack that involves compromising a legitimate site related to gas supply in Russia to distribute a worm named CMoon that can harvest confidential and payment data, take screenshots, download additional malware, and launch distributed denial-of-service attacks against targets of interest.

News URL

https://thehackernews.com/2024/08/russian-government-hit-by-eastwind.html