The Russian government and IT organizations are currently the focus of a new spear-phishing campaign, codenamed EastWind, which is delivering various backdoors and trojans. The attack chain is marked by the use of RAR archive attachments containing a Windows shortcut (LNK) file that, when opened, triggers an infection sequence leading to the deployment of malware such as GrewApacha, an updated version of the CloudSorcerer backdoor, and a previously undocumented implant named PlugY.
PlugY is downloaded via the CloudSorcerer backdoor and features a wide range of commands, supporting three different communication protocols with its command-and-control server, according to Russian cybersecurity firm Kaspersky.
The initial infection method involves a malicious LNK file that uses DLL side-loading techniques to execute a harmful DLL file. This file uses Dropbox as a communication channel to run reconnaissance commands and download additional malware.
Among the deployed malware, GrewApacha—a known backdoor previously linked to the China-affiliated APT31 group—is delivered through DLL side-loading. It uses a GitHub profile controlled by the attacker as a dead drop resolver to store a Base64-encoded string containing the actual command-and-control server address.
CloudSorcerer is a sophisticated cyber espionage tool that conducts stealth monitoring, data collection, and exfiltration through Microsoft Graph, Yandex Cloud, and Dropbox cloud services. The updated version of CloudSorcerer also utilizes legitimate platforms like LiveJournal and Quora as initial command-and-control servers. As in previous versions, the malware’s profile biographies contain an encrypted authentication token for interacting with the cloud service, Kaspersky noted.
The third malware observed in these attacks is PlugY, a fully-featured backdoor capable of connecting to a management server using TCP, UDP, or named pipes. It can execute shell commands, monitor the device screen, log keystrokes, and capture clipboard content. A source code analysis of PlugY revealed similarities with a known backdoor called DRBControl (also known as Clambling), which has been associated with China-linked threat groups APT27 and APT41.
Kaspersky further reported that the attackers behind the EastWind campaign have used popular network services like GitHub, Dropbox, Quora, LiveJournal, and Yandex Disk as command servers.
Additionally, Kaspersky disclosed a separate watering hole attack involving the compromise of a legitimate Russian gas supply website to distribute a worm named CMoon. This worm is capable of harvesting confidential and payment data, taking screenshots, downloading additional malware, and launching distributed denial-of-service (DDoS) attacks against targeted entities.
The CMoon worm, written in .NET, has extensive capabilities for data theft and remote control. Once installed, it immediately begins monitoring connected USB drives to steal files of interest and copy itself to those drives, potentially infecting other computers where the drive is used.
