Multi-stage attacks
Kaspesky says that the attacks started in April last year and involved three separate stages. The implants in the initial-phase established persistence and remote access to the compromised systems and collected data useful for reconnaissance.In the second stage, APT31 drops more specialized malware that can steal data from isolated (air-gapped) systems using USB propagation.
Finally, in the third stage of the attack, the hackers use implants that can upload the collected data to their command and control (C2) servers.
The malware that targets isolated systems consists of four modules described below.
- First module: Profiles removable drives connected to the system, collects files, captures screenshots and window titles, and drops additional payloads on the infected device.
- Second module: Infects removable drives by copying a legitimate McAfee executable which is vulnerable to DLL hijacking, and a malicious DLL payload onto the root directory of the device, and sets them as "hidden." The tool also creates a lure LNK file that triggers the infection if the victim launches it.
- Third module: Executes a batch script to collect data from the device and save the output to the "$RECYCLE.BIN" folder, from where the first module will collect it.
- Fourth module: Variant of the first module seen in some attacks, acts as a payload dropper, keylogger, screenshot-capturing tool, and file stealer.