Recent Cyberattack Targets Dozens of Organizations with Sophisticated Backdoors
In a concerning development within the cybersecurity landscape, a follow-on payload identified by Kaspersky as a “minimalistic backdoor” has infiltrated nearly a dozen organizations. This malware possesses capabilities to execute commands, download files, and deploy shellcode within memory, complicating detection efforts significantly.
Kaspersky has also analyzed a more intricate backdoor labeled QUIC RAT, which was discovered on a single machine belonging to an educational institution in Russia. Initial evaluations reveal that QUIC RAT can inject malicious payloads into essential processes such as notepad.exe and conhost.exe. Furthermore, it supports a variety of command and control (C2) communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, showcasing its versatility and complexity.
The cyberattack has predominantly targeted around 100 organizations across countries such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Kaspersky’s insights into the breach are somewhat constrained, relying primarily on telemetry from its own cybersecurity products.
According to Kaspersky’s investigative team, about 10% of the affected systems belong to various businesses and organizations. Notably, attackers seem to have primarily targeted these systems with information collector payloads. However, the more sophisticated backdoor was observed only on a limited number of machines across government, scientific, manufacturing, and retail sectors located in Russia, Belarus, and Thailand. This selective deployment indicates a targeted approach, although the attackers’ intentions—whether for cyberespionage or ‘big game hunting’—remain ambiguous.
Recent trends also indicate a rise in supply-chain attacks, with significant incidents targeting platforms like Trivy, Checkmarx, Bitwarden, and over 150 packages accessible through open-source repositories. The previous year alone witnessed at least six noteworthy supply-chain breaches.
For users of applications like Daemon Tools, it is crucial to conduct comprehensive scans of their systems using reputable antivirus software. Windows users are particularly advised to monitor for any indicators of compromise as outlined in Kaspersky’s analysis. Advanced users may want to scrutinize for suspicious code injections into legitimate system processes, especially those executed from publicly accessible directories such as Temp, AppData, or Public.
In employing the MITRE ATT&CK framework, several adversary tactics and techniques appear relevant to this incident. Initial access likely involved the exploitation of vulnerabilities, while persistence and privilege escalation techniques may have been used to maintain the attackers’ foothold within affected networks. As organizations assess their cybersecurity posture, vigilance in monitoring potential breaches remains paramount in this evolving threat landscape.