Woburn, MA – July 31, 2023 — Kaspersky ICS CERT today shares additional research that addresses a second-stage malware succeeding the first-stage implants used for remote access and data collection in cyberattacks in Eastern Europe. This advanced tool extracts data from air-gapped systems, paving the way for the development of third-stage tools that collect and transmit the harvested data.
The research identified two specific implant types for the second stage of the attack, extracting data from infected systems. One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe. The other type of implant is designed for stealing data from local computer and sending it to Dropbox with the help of the next-stage implants.
The malware designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives.
Throughout the investigation, Kaspersky's researchers observed the threat actors' deliberate efforts to evade detection and analysis. They achieved this by concealing the payload in encrypted form within separate binary data files and embedding malicious code in the memory of legitimate applications through DLL hijacking and a chain of memory injections.
"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking might seem underscoring the sophistication of their tactics,” said Kirill Kruglov, senior security researcher at Kaspersky ICS CERT. “Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor. As the investigation continues, Kaspersky remains resolute in its dedication to safeguarding against targeted cyberattacks and collaborating with the cybersecurity community to disseminate actionable intelligence."
To read the full report on the second-stage of the campaign, visit ICS CERT website.
To keep your OT computers protected from various threats, Kaspersky experts recommend:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.