An unknown APT group is targeting Russian government entities since the beginning of the Russian invasion of Ukraine.
Researchers from Malwarebytes observed an unknown Advanced Persistent Threat (APT) group targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Russian invasion of Ukraine.

The threat actors behind the attacks aimed at implanting a Remote Access Trojan (RAT) to gain full control over the infected systems.

In the first campaign, attackers distributed a custom malware disguised as an interactive map of Ukraine (interactive_map_UA.exe).
In the second campaign that started in March the threat actor packaged its custom malware in a tar archive named Patch_Log4j.tar.gz, the attackers disguised the malicious code as an updates for the Log4j vulnerability. This campaign primarily targeted RT TV employees.

In the third campaign, threat actors targeted the Rostec defense conglomerate, the phishing messages used build_rosteh4.exe for its malware.

The fourth campaign took place in mid-April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at the Saudi Arabian public petroleum and natural gas company Saudi Aramco as a lure.

Experts attributed the attacks, with low confidence, to a China-linked APT group.

Unknown APT group
“Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.” concludes the report. “All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.”

[출처 : SecurityAffairs / 5.25.]