A potentially Russian state hacking group has been identified by Bitdefender as deploying a new backdoor attack against international governmental targets in Kazakhstan and Afghanistan. While direct evidence linking the attacks to Russian state hackers is lacking, various indicators suggest a connection to Moscow.
The backdoor, named DownEx by Bitdefender, was developed using multiple programming languages commonly associated with Russian intelligence hacking groups.
DownEx was first discovered by Bitdefender in late 2022, and though the initial infection vector remains unknown, spear phishing is suspected. The attack method involved disguising an executable file as a Microsoft Word document by using an icon file associated with .docx files.
Upon execution, DownEx loads a seemingly inconspicuous Word document while activating an HTML application script.
Once active, DownEx scours local and network drives to gather a wide range of files, including Word, Excel, and PowerPoint documents, images, videos, compressed files, and PDFs. The malware also searches for encryption keys and QuickBooks log files.
To exfiltrate the stolen data, DownEx encrypts it into password-protected zip archives, each limited to a size of 30 megabytes.
Kazakhstan, historically aligned with Russia, has experienced strained relations since Russia’s invasion of Ukraine in 2022.
This backdoor attack raises concerns about the cybersecurity of international governmental entities and further highlights the geopolitical tensions between Kazakhstan and Russia.
