For the last nine months, a previously unknown Russian-speaking threat actor has been targeting government, energy, and international organizations in Azerbaijan, Kyrgyzstan, Tajikistan, as well as European countries, with cyberespionage campaigns that employ a range of commodity and custom malware tools.
The campaigns are the work of a group that researchers from Cisco Talos have named YoroTrooper and they have been ongoing since at least June 2022. The threat actor uses phishing as the initial attack vector and tailors the emails and attachments to the specific target organization, setting up either typosquatting or lookalike domains for each target. YoroTrooper has compromised embassies of Turkmenistan and Azerbaijan, and also stole credentials from at least one account in a European health care agency. The group uses RATs and information stealer malware in its campaigns, but also has some custom Python implants in its arsenal.
Although there are some overlaps and links with some existing attack teams, including the PoetRAT group, Talos researchers assess that YoroTrooper is a separate entity running its own operations.
“Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts,” Asheer Malhotra and Vitor Ventura of Talos wrote in a post about the YoroTrooper campaigns.
“The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate.”
YoroTrooper uses several different tools in its intrusions, including the LodaRAT malware, which has been attributed to the Kasablanka cyber espionage group. LodaRAT is not a publicly available tool, but there are several individual groups using it. YoroTrooper also employs some custom Python malware, including a script designed to steal credentials from Google Chrome and a RAT that can exfiltrate data from a target system.
The typical intrusion begins with a phishing email and an attachment, which usually includes a malicious RAR or ZIP archive that contains an LNK file. The LNKs in turn download a remote HTA file.
“The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands,” the Talos analysis says.
The YoroTropper campaigns first surfaced in June 2022 and have evolved over time, both in terms of victims and tools.
“It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign,” the Talos post says.
The most recent YoroTrooper campaigns from January and February have targeted organizations in Uzbekistan and the group has evolved its tactics, sometimes deploying a Meterpreter payload or a custom keylogger.