Kaspersky uncovers malware for targeted data exfiltration from air-gapped environments

Woburn, MA – July 31, 2023 —  Kaspersky ICS CERT today shares additional research that addresses a second-stage malware succeeding the first-stage implants used for remote access and data collection in cyberattacks in Eastern Europe. This advanced tool extracts data from air-gapped systems, paving the way for the development of third-stage tools that collect and transmit the harvested data.

The research identified two specific implant types for the second stage of the attack, extracting data from infected systems. One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe. The other type of implant is designed for stealing data from local computer and sending it to Dropbox with the help of the next-stage implants.

The malware designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives.

Throughout the investigation, Kaspersky's researchers observed the threat actors' deliberate efforts to evade detection and analysis. They achieved this by concealing the payload in encrypted form within separate binary data files and embedding malicious code in the memory of legitimate applications through DLL hijacking and a chain of memory injections.

"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking might seem underscoring the sophistication of their tactics,” said Kirill Kruglov, senior security researcher at Kaspersky ICS CERT. “Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor. As the investigation continues, Kaspersky remains resolute in its dedication to safeguarding against targeted cyberattacks and collaborating with the cybersecurity community to disseminate actionable intelligence."

To read the full report on the second-stage of the campaign, visit ICS CERT website.

To keep your OT computers protected from various threats, Kaspersky experts recommend:

• Conducting regular security assessments on OT systems to identify and eliminate possible cyber security issues.
• Establishing a continuous vulnerability assessment and triage system as a basis for an effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
• Performing timely updates for the key components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a major incident that might cost millions due to the interruption of the production process.
• Using EDR solutions such as Kaspersky Endpoint Detection and Response for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
• Improving the response to new and advanced malicious techniques by building and strengthening your teams’ incident prevention, detection, and response skills. Dedicated OT security training for IT security teams and OT personnel is one of the key measures that can help achieve this.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Media Contact:

Cassandra Faro

Cassandra.Faro@Kaspersky.com

781-503-1812