Russian Government Targeted by Unknown APT Group
Russian Government Targeted by Unknown APT Group
Malwarebytes Labs has identified several phishing campaigns coinciding with the start of the Ukraine invasion by an unknown APT group, targeting Russian government entities since late February 2022. While attribution is undetermined, early analysis and indicators suggest a China-based threat group. The objective of the attacks has been to install a remote access trojan (RAT). Various themes have been used in the campaign including masquerading as an "interactive map of Ukraine", a patch for Log4j, software, and a job posting for Saudi Aramco. The emails contain an attachment for a malicious document, executable file, or TAR file. The infection chain for the document themed from a fictitious Saudi Aramco job posting uses a macro dropping a VBS script to download a DLL payload executed with rundll32 containing code to communicate with the attacker's command and control server. Whilst only the payload from the Saudi Aramco campaign was analyzed, Malwarebytes identified the malware used in all the campaigns as all the same.