New malware samples associated with the operations of Russian threat actors Turla and Zebrocy have been released this week by the United States Cyber Command (USCYBERCOM).
Turla was most recently observed attacking a European government agency with numerous backdoors, connected to malicious activities dating back two decades and often referred to as Rat, Waterbug, Venomous Bear, Belugasturgeon, and KRYPTON.
USCYBERCOM posted new samples of the ComRAT Trojan on VirusTotal on Thursday, which is suspected to be one of the oldest malware families employed by Russia-linked threat actors.
The FBI is extremely optimistic that ComRAT malware is being used by Russian-sponsored APT actor Turla, an intelligence organisation operating for at least a decade, to hack victim networks. A malware intelligence study from the Cybersecurity and Information Protection Agency (CISA) reports that the group is well known for its customised software and tailored operations.
The report shares knowledge about a PowerShell script that is used to mount another script that loads the ComRAT version 4 DLL in turn. CISA clarifies that the malware contains DLLs used as contact modules that are inserted into the default browser and that use a called pipe to communicate with the ComRATv4 code. In order to accept commands and exfiltrate files, a Gmail web interface is used.
A total of five ComRAT files and two samples identified with the Russian threat actor Zebrocy were posted by USCYBERCOM on VirusTotal.
The Russian hacker community, initially detailed in 2018, is considered part of the notorious Sofacy APT (also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium) by some security firms, while others see it as a distinct organisation.
New Zebrocy attacks were discovered in September 2020, demonstrating persistent targeting of countries connected to the North Atlantic Treaty Organization ( NATO).
Windows executables are the two examples that USCYBERCOM shared on VirusTotal that are suspected to be a new version of the Zebrocy backdoor. The malware gives remote access to a compromised device to attackers and facilitates multiple operations, CISA says.
CISA advises that security best practises be implemented by users and administrators to ensure that their devices stay safe from recently shared samples of ransomware or other risks.