The Collective States Cyber Command (USCYBERCOM) this week released new malware nibbles associated with the activity of Russian threat actors Turla and Zebrocy.
Fasten together to malicious activity dating back two decades and also referred to as Turn, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON, Turla was most recently examined targeting a European government organization with multiple backdoors.
On Thursday, USCYBERCOM shared on VirusTotal new experiences of the ComRAT Trojan, which is believed to be one of the oldest malware families utilized by the Russia-linked threat actor.
“FBI has high-confidence that Russian-sponsored APT actor Turla, which is an espionage party active for at least a decade, is using ComRAT malware to exploit fool networks. The group is well known for its custom tools and targeted performances,” a malware analysis report from the Cybersecurity and Infrastructure Security Means (CISA) reads.
The report shares details on a PowerShell script habituated to to install another script that in turn loads a ComRAT portrayal 4 DLL. CISA explains that the malware includes DLLs employed as communication modules that are inserted in the default browser and which communicate with the ComRATv4 file functioning a named pipe. A Gmail web interface is used to receive commands and exfiltrate details.
A total of five ComRAT files were shared by USCYBERCOM on VirusTotal, alongside two tries associated with the Russian threat actor Zebrocy.
Initially complete in 2018, the Russian hacking group is considered by some security compresses part of the infamous Sofacy APT (also referred to as APT28, Fancy Develop, Pawn Storm, Sednit, and Strontium), while others see it as a separate Metaphysics ens.
In September 2020, new Zebrocy attacks were uncovered, showing constant targeting of countries associated with the North Atlantic Treaty Plan (NATO).
The two samples that USCYBERCOM shared on VirusTotal are Windows executables have the courage of ones convictions pretended to be a new variant of the Zebrocy backdoor. The malware provides attackers with tramontane access to a compromised system and supports various operations, CISA holds.
CISA recommends users and administrators apply security best practices to certain that their systems remain protected from the newly staked malware samples or other threats.
Related: Turla Cyber-Spies Butt European Government With Multiple Backdoors
Related: New Zebrocy Throw Suggests Russia Continues Attacks on NATO
Related: U.S. Cyber Direction Shares More North Korean Malware Variants