Chinese cyberespionage group APT31, also identified as Bronze Vinewood, Judgement Panda, or Violet Typhoon, is now connected to cutting-edge backdoors proficient in discreetly transmitting confidential data to Dropbox.
This malware is among a vast suite of over 15 tools employed by the adversary during their 2022 cyber-attacks on industrial entities in Eastern Europe.
“Through these tactics, the attackers intended to create a lasting route for data extraction, even targeting information within air-gapped systems,” reported Kaspersky, highlighting the previously unexplored techniques of APT31.
The cyberattacks utilize a tri-phase malware sequence, each dedicated to different parts of the intrusion process: ensuring continual presence, collecting classified data, and forwarding that data to an external server under the attacker’s dominion.
Intriguingly, some derivatives of the intermediary backdoors possess capabilities to search filenames in Microsoft Outlook, implement remote directives, and trigger the tertiary component, thus finalizing the data transmission through RAR archive files.
“The inaugural phase ensures continuity, initializing the secondary malware module, which is charged with transmitting the accumulated files to the server using the tertiary implant for clean-up,” mentioned the cybersecurity company from Russia.
Setting them apart, APT31 is known to employ an internal corporate network command-and-control (C2), harnessing it as a conduit to extract data from systems that are offline, indicating deliberate targeting of isolated systems.
Notably, Kaspersky identified other tools in the attacker’s arsenal used to manually transfer data to platforms like Yandex Disk, and various ephemeral file-sharing sites such as extraimage, imgbb, imgshare, schollz, and zippyimage. A subsequent similar tool has been set to dispatch data through the Yandex email service.
These discoveries underline the attacker’s thorough preparations and their capacity to continually innovate, enhancing their cyberespionage toolkit.
“Exploiting renowned cloud storage platforms can potentially help the perpetrators bypass security protocols,” Kaspersky commented. “However, this also introduces the risk of the pilfered data being inadvertently exposed if an external entity gains access to the storage managed by the attackers.”