Russian Government and IT Firms Receive Spear-Phishing Emails with Trojans and Backdoors

• Spear-phishing emails with malicious archives attached try to trick Russian organizations into installing malware.
• Two backdoors, CloudSorcerer, and novel PlugY, were deployed onto the compromised machines.
• The attackers download the GrewApacha trojan from the Dropbox cloud storage.

The Russian government and IT organizations are targeted by a new spear-phishing campaign that security researchers call EastWind, a new report from Kaspersky says. It delivers an updated version of CloudSorcerer, novel PlugY backdoors, and the GrewApacha trojan. The campaign involves malware from APT27 and APT31, two Chinese-speaking groups.

The victims were lured by emails with RAR archive attachments, such as “initiative group from Chernigov district of Primorsky Krai.rar.” These contained a malicious DLL and a Windows shortcut (LNK) file on top of the legitimate “desktop.exe” file and a bait document.

Popular services such as GitHub, Dropbox, Quora, Russian LiveJournal, and Yandex Disk are used in this campaign as command and control (C2) servers to hide malicious activity.

In a classic DLL sideloading technique, the executable injects the DLL, which is used for reconnaissance and opening the way for GrewApacha, a RAT used by the APT31 hackers since 2021. 

The RAT first seemed to fit the typical PlugX attacks due to its legitimate executable file signed by Microsoft “msedgeupdate.exe,” encrypted payload, and malicious msedgeupdate.dll.

The DLL contacts the Dropbox cloud service using a hardcoded authentication token, and a utility packed with VMProtect is downloaded and run to get the CloudSorcerer backdoor onto the infected machines. 

A previously unknown implant with a wide range of commands that security researchers named PlugY is loaded via the CloudSorcerer backdoor. The PlugY code is similar to the DRBControl backdoor (also known as Clambling), attributed to the APT27 group.

Kaspersky also said a new self-spreading worm they named CMoon has been distributed in Russia since early July 2024 to visitors of specific organizations' websites, focusing on high-value targets. The malware steals account credentials, sensitive details, and financial data and can also initiate distributed denial of service attacks and infect USB drives connected to the infected machines.