New Malware Tool Focuses on Russia

Wednesday, December 30, 2015 @ 01:12 PM gHale

A threat group that focuses on Russian organizations is using a new type of attack in its move to capture information from its victims, researchers said.

The “Roaming Tiger” attack campaign targets high profile organizations in Russia and former Soviet Union countries, including Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Ukraine and Uzbekistan, said ESET researcher Anton Cherepanov.

Federal Reserve Vulnerable to Hackers
Cyber Security Bill Passes Congress
Security Sites Vulnerable: Report
IRS Breach Bigger than Thought

The threat group used RTF exploits and the PlugX RAT to conduct espionage and steal data from targets. While Cherepanov hasn’t said who is behind the campaign, the command and control (C&C) servers and domains discovered during his research ended up tied to China.

In August 2015, Palo Alto Networks researchers spotted attacks that were very similar to the ones launched as part of the Roaming Tiger operation. The attacks, observed up until December, targeted organizations in Russia and Russian-speaking countries, but instead of PlugX, the threat group started using a new malware tool.

The new malware uses infection mechanisms that are similar to PlugX, but it has a different architecture and behavior.

In one attack spotted by Palo Alto Networks, the attackers sent out an email containing a malicious Word document designed to exploit an old Microsoft Office vulnerability to deliver the new malware. This flaw was also in the attacks observed by ESET last year.

The email analyzed by Palo Alto ended up sent to Vigstar, a Russian research organization that specializes in the development of special-purpose wireless devices and satellite communications systems used by Russian defense and security agencies.

Researchers said the new malware uses the same C&C domains as in the Roaming Tiger operation detailed by ESET.