An APT that Russia found inside government systems was too crude to have been the work of a Western nation, believed the malware came from a Chinese entity.

Russian Federal Security Service (FSB), published a report on attack against Russian government entities

The report said the attacks were made using malware named “Mail-O” and asserted that attackers used cloud storage services provided by Russian companies Yandex and Mail.ru Group. The malware mimicked legitimate cloud storage management apps Disk-O and Yandex Disk.

After assessing samples of Mail-O and suggesting it is “a variant of a relatively well-known malware called PhantomNet or SManager used by a threat actor ‘TA428‘.

The researched makes that assertion because Mail-O, PhantomNet and SManager all share a function called “Entery” that supposes is a misspelling of “Entry”. TA428, has a history of attacking Russian and south-east Asian targets and is credibly assessed as having Chinese origins.

Tooling is likely shared among multiple threat actors and what’s being referred to as ‘TA428’ is probably an amalgam of multiple threat groups.

Mail-0 is nasty. The software “acts as a downloader with a thin veneer of similarity to the legitimate Mail.ru Disk-O software” and disguises itself using a legitimate Disk-O version number. Once it infects a machine, the malware downloads a payload and creates the “Entery” function, then downloads a third piece of software that the Russian report claims attempts to subvert email accounts and exfiltrate documents