A China-linked group APT31 (Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers aimed to steal valuable intellectual property from victims, including data stored on air-gapped systems.
The attackers abused DLL hijacking vulnerabilities in cloud based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing service, to deliver next-stage malware.
A total of 15 implant variants with different capabilities were used in the attack. Some of these were different versions of FourteenHi malware, which were distributed as first-stage implants, enabling attackers to gain persistent remote access, upload and download files, and initializing a reverse shell.
The attackers leveraged a new malware, dubbed MeatBall, that comes with vast remote access capabilities, including making a list of processes running on systems, capturing screenshots, and using a remote shell.
Samples for x64 have persistence capabilities and a 2-step C2 communication protocol. They accept a relatively long list of commands, including:
- upload arbitrary files,
- download arbitrary files,
- run arbitrary commands,
- set communication delay,
- start reverse shell,
- terminate own process and remove persistence.
To protect communication with C2, they use the API of the statically linked OpenSSL library. In addition, they use RC4 to encrypt / decrypt the data they send / receive from C2.
Another interesting implant was found using Yandex cloud data storage as the C2 server. It exfiltrated computer names, usernames, IP addresses, Mac addresses, and OS versions from compromised systems.
European entities are persistently targeted by different state-sponsored threat groups and have become part of a larger attack trend now. Organizations are advised to use the IOCs associated with the campaign to understand the attack pattern and implement effective security measures to detect and remediate unusual activities at the initial stage.
Indicators of Compromise
Variants of FourteenHi
Implant using Yandex Cloud as C2