Chinese hackers are reportedly now deploying malware on targets in Russia
New variant wipes all traces of its existence when its work is done
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurityresearchers have detected new activity from a notorious Advanced Persistent Threat (APT) group in countries it didn’t attack earlier, particular Russia.
Detected by the Positive Technologies Expert Security Center (PT ESC), the attacks have been traced back toAPT31, also referred to asZirconium by Microsoft, which is presumed to work on behalf of the Chinese government.
“The group’s infrastructure is also growing—all this, combined with the fact that the group has not previously attacked Russia, suggests that it is expanding to countries where its increasing activity can be detected, in particular our country,” said Denis Kuvshinov, Head of Threat Analysis at the Moscow-headquartered Positive Technologies.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
Click here to start the survey in a new window«
In their analysis of the new series of attacks, detected between January and July 2021, the researchers noticed that APT31 first targeted Mongolia, before going after targets in Russia, Belarus, Canada, and the US.
Updated arsenal
PT ESC has compiled adetailed reporton the new series of attacks. As is usual,phishingemerged as the initial attack vector, which tricked users by imitating a domain used by the Russian government.
Furthermore, the attacks relied on an unseenmalware; a remote access trojan (RAT) which could have enabled the group to monitor and perhaps even control the infected computers.
Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various techniques to avoid detection, it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ forMicrosoft Visual Studioand is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
How to turn off Meta AI
