Talos finds YoroTrooper malware executing espionage attacks against CIS countries, Turkey, European institutions

On Tuesday, the cybersecurity experts at Cisco Talos spotted a new online threat actor – YoroTrooper – that has been carrying out espionage operations since June 2022. The researchers said that the main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan, and other Commonwealth of Independent States (CIS), based on analysis. The malware is distributed through social engineering, spear-phishing, data exfiltration, and using custom and commodity malware. 

Asheer Malhotra and Vitor Ventura, Cisco Talos researchers, wrote in a blog post that they observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) healthcare agency and the World Intellectual Property Organization (WIPO). “Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies,” they added.

“YoroTrooper’s main tools include Python-based, custom-built, and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT, and Meterpreter,” the researchers disclosed. “The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations,” they added. 

The researchers revealed that the Information stolen from identified compromises include credentials from multiple applications, browser histories and cookies, system information, and screenshots. “Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were able to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully profile a campaign, while in other cases, we only identified the infrastructure or compromised data,” they added.

“Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of Independent States (CIS),” the researchers said. “There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language.”

Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) analyzed, they said. “To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts.”

The post added that the initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate. 

The researchers detailed that the latest infection chain from January 2023 is relatively straightforward but consists of multiple components such as archives, LNKs, HTAs, and ultimately the final payloads. The infection chains begin with a malicious archive (RARs or ZIPs) delivered to targets with lure document titles referring to topics of interest to CIS nations, such as National_Development_Strategy [dot]rar and Presidents_Strategy_2023[dot]rar. The campaign has also employed some generic file names as well such as ‘Nota[dot]rar’ and ‘вложение[dot]rar.’

“We have also observed the occasional inclusion of decoy documents in the archive files, as well,” the researchers added. The malicious LNK files are simple downloaders that employ mshta.exe to download and execute a remote HTA file on the infected endpoint. Furthermore, “the malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands,” they added.

“YoroTrooper has been consistently introducing new malware into their infection chains in this campaign, including both custom-built and commodity malware,” according to the post. “It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign.”

The researchers also detailed the custom-built Python-based RAT which is relatively simple. It uses Telegram as a medium of C2 communication and exfiltration and contains functionality to run arbitrary commands on the infected endpoint and upload files of interest to the attacker to a telegram channel via a bot.

Another Python-based payload distributed in January 2023 consists of a simple stealer script that will extract login data for the Chrome browser and exfiltrate it via a Telegram bot. This custom script has likely been stitched together from publicly available sources, such as Lazagne, the researchers detected. “YoroTrooper has relied heavily on the use of primarily two commodity malware families, AveMaria/Warzone RAT and LodaRAT, especially in October and November 2022. AveMaria is a highly prolific malware family available for sale online, while LodaRAT is a RAT-based family whose authorship has been attributed to the Kasablanka threat actor,” they added.

In another final payload found being deployed by YoroTrooper is an open-source credential stealer called ‘Stink,’ which is wrapped into an executable file using Nuitka Python compiler framework. The researchers disclosed that Stink has several modules from Chromium-based browsers that collect credentials, cookies, and bookmarks, among other information. It harvests Filezilla credentials and authentication cookies from Discord and Telegram. From the system, the stealer will collect a screenshot, external IP address, operating system, processor, graphic card, and running processes.

“All modules are executed in their own process and even each process will use its own threads to speed up the information collection process. The information is stored in a temporary directory before being compressed and exfiltrated,” the researchers added. “The sender module is responsible for data exfiltration via a Telegram bot. As of early March, the latest version of Stink Stealer 2.1.1 has an autostart configuration option that will create a link in the startup folder of the victim profile with the name ‘Windows Runner.’”

Cisco Talos’ analysis has shown that YoroTrooper obtained access to credentials of at least one account from a critical EU healthcare agency’s internet-exposed system and another from the WIPO. “However, it is unclear if the threat actors targeted these institutions specifically via such phishing domains or if the credentials were compromised because they belong to users from a specific list of targeted countries in Europe. We found malicious domains masquerading as those of legitimate European Union government agencies, such as “maileecommission[.]inro[.]link”, which indicates that other European institutions were targeted,” the researchers added.

They also added that YoroTrooper successfully compromised embassies belonging to Turkmenistan and Azerbaijan, where the operators attempted to exfiltrate documents of interest and deploy additional malware. 

Typically, YoroTrooper employs information stealers and RATs. An analysis of their stolen data reveals a treasure trove of information stolen from infected endpoints, such as credentials, histories, and cookies for multiple browsers, the post identified. Information such as credentials is highly valuable as they may be used either during lateral movement efforts or during subsequent YoroTrooper campaigns. Browsing histories can be used by a threat actor to specifically target victims with phishing lures based on their browsing habits.

Last September, Talos researchers discovered a malicious campaign delivering Cobalt Strike beacons that could be used in later, follow-on attacks. The assault involves a multistage and modular infection chain with fileless, malicious scripts. It also uses a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.