A nation-state actor believed to have connections to China, known as APT31 or Bronze Vinewood, is suspected of conducting a series of cyberattacks targeting industrial organizations in Eastern Europe. The attacks occurred last year and aimed to extract data from air-gapped systems.
Cybersecurity company Kaspersky has attributed the intrusions to APT31 with medium to high confidence, citing similarities in tactics used by the hacking crew.
The attacks involved the use of more than 15 distinct implants, categorized based on their functions: establishing persistent remote access, gathering sensitive information, and transmitting the collected data to the actor-controlled infrastructure.
One of the implant types identified by Kaspersky was a sophisticated modular malware specifically designed to profile removable drives and exfiltrate data from isolated networks of industrial organizations in Eastern Europe. Another implant type was found to be responsible for stealing data from local computers and sending it to Dropbox using next-stage implants.
APT31 was also observed using various versions of a malware family called FourteenHi, along with a first-stage backdoor named MeatBall, to facilitate remote access and initial data gathering.
Additionally, a third type of first-stage implant utilized Yandex Cloud for command-and-control, indicating the threat actor’s tendency to abuse cloud services for malicious activities. These sophisticated tactics included hiding payloads in encrypted form in separate binary data files and concealing malicious code in the memory of legitimate applications via DLL hijacking and memory injections.
Although primarily targeted at Windows systems, evidence suggests that APT31 has also set its sights on Linux systems. Recent attacks on South Korean companies involved the deployment of a backdoor called Rekoobe, capable of receiving commands from a command-and-control server to perform various malicious functions, including downloading files, stealing internal data, and executing reverse shells.
ASEC, the AhnLab Security Emergency Response Center, detected these attacks and highlighted the use of encryption by Rekoobe to evade network packet detection.
