Kaspersky’s ICS CERT report has revealed part two of its research, which addresses a second-stage malware succeeding the first-stage implants used for remote access and data collection in cyberattacks in Eastern Europe. This advanced tool extracts data from air-gapped systems, paving the way for the development of third-stage tools that collect and transmit the harvested data.
The research identified two specific implant types for the second stage of the attack, extracting data from infected systems. One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe. The other type of implant is designed for stealing data from local computer and sending it to Dropbox with the help of the next-stage implants.
The malware designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives.
Throughout the investigation, Kaspersky’s researchers observed the threat actors’ deliberate efforts to evade detection and analysis. They achieved this by concealing the payload in encrypted form within separate binary data files and embedding malicious code in the memory of legitimate applications through DLL hijacking and a chain of memory injections.
“The threat actor’s deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking might seem underscoring the sophistication of their tactics. Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor. As the investigation continues, Kaspersky remains resolute in its dedication to safeguarding against targeted cyberattacks and collaborating with the cybersecurity community to disseminate actionable intelligence,” comments Kirill Kruglov, senior security researcher at Kaspersky ICS CERT.
