Cybersecurity researchers have detected new activity from a notorious Advanced Persistent Threat (APT) group in countries it didn’t attack earlier, particular Russia.
Detected by the Positive Technologies Expert Security Center (PT ESC), the attacks have been traced back to APT31, also referred to as Zirconium by Microsoft, which is presumed to work on behalf of the Chinese government.
“The group's infrastructure is also growing—all this, combined with the fact that the group has not previously attacked Russia, suggests that it is expanding to countries where its increasing activity can be detected, in particular our country,” said Denis Kuvshinov, Head of Threat Analysis at the Moscow-headquartered Positive Technologies.
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Here's our choice of the best malware removal software on the market
In their analysis of the new series of attacks, detected between January and July 2021, the researchers noticed that APT31 first targeted Mongolia, before going after targets in Russia, Belarus, Canada, and the US.
Updated arsenal
PT ESC has compiled a detailed report on the new series of attacks. As is usual, phishing emerged as the initial attack vector, which tricked users by imitating a domain used by the Russian government.
Furthermore, the attacks relied on an unseen malware; a remote access trojan (RAT) which could have enabled the group to monitor and perhaps even control the infected computers.
Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various techniques to avoid detection, it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.
“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.
- Protect your devices with these best antivirus software
