The Positive Technologies Expert Security Center (PT ESC) just revealed details of new cyber attacks launched by APT31, the criminal group known for targeting global government agencies.
More than a dozen malicious emails were sent around the world between January and July this year, and traces of the group were found in the U.S., Canada, Mongolia, the Republic of Belarus, and – for the first time – Russia.
These attacks leveraged previously unseen malicious content: The group’s new tool is a piece of malware that allows criminals to control a victim's computer or network by using remote access, and steal any file from an infected machine.
What’s known about the group’s new tool:
It uses techniques to avoid detection and self-deletes after it accomplishes its goals, as well as deletes all the files it created, and registry keys
In some cases, such as in attacks in Mongolia, the dropper was signed with a valid digital signature that was most likely stolen, indicating the attacker’s high level of knowledge
The malware can be used as a part of a global campaign that includes cyber espionage
In order to make the malicious library look like the original version, criminals named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll
Researchers believe the potential malware is only version is 1.0, based on the value embedded in the code and contained in the network packages.
All this suggest the group is expanding the geography of its interests. The researchers believe further attacks are coming from this group, including against Russia. Based on the updates to its arsenal that have taken place over the last year, researchers believe the group is not afraid to make significant changes to its tools – so future malicious programs may be completely different from those already researched.