Kaspersky’s latest findings reveal a newly identified threat group, dubbed Armored Likho, which is currently engaged in a sophisticated spear-phishing campaign. This operation predominantly targets government entities and energy sectors across Russia, Kazakhstan, and Brazil.
Armored Likho has developed an extensive malware arsenal designed to extract credentials, confidential documents, and other valuable information. Central to their toolkit is a novel Python-based infostealer known as BusySnake, capable of pilfering sensitive data from affected devices.
Motivation
Analysts identify two primary motivations driving this group’s activities: financial gain through targeting private individuals and cyber-espionage aimed at significant organizations. While there is no explicit attribution to any nation-state, the campaign appears to be focused on credential harvesting and maintaining persistent access to crucial infrastructures.
How The Attack Works
The attack begins with targeted spear-phishing emails, often disguised as official communications or humanitarian solicitations. These messages can include malicious archive files that employ two main delivery methods: executable droppers built with the Nullsoft Scriptable Install System (NSIS) and malicious shortcuts that exploit Windows’ handling of .lnk parameters.
When the recipient opens the attachment, both methods lead to the installation of BusySnake Stealer. In the executable pathway, the NSIS dropper initiates a legitimate process and discreetly injects the harmful loader. Conversely, in the LNK scenario, an obfuscated PowerShell command is used to download and execute the loader, which subsequently retrieves the necessary Python components and the BusySnake payload from GitHub repositories.
Stealing the Data
Once a device is compromised, attackers can access an extensive array of sensitive information. The malware captures clipboard contents, gathers browser cookies, extracts session tokens from Telegram, and performs both data exfiltration and screenshot capture. Notably, it is also capable of scraping two-factor authentication secrets and hunting for cryptocurrency wallets.
Additionally, BusySnake incorporates reverse SSH tunneling, providing attackers sustained remote access for manual inspection of compromised systems and the extraction of targeted files post-infection.
Using AI to Hide Tracks
Kaspersky has reported challenges in tracing the origins of these malicious loaders, primarily due to the hackers’ employment of AI to generate their initial payloads. This automated methodology modifies the code sufficiently to obscure the group’s typical patterns, complicating efforts to securely attribute their activities.
Previous Attacks Linked to Armored Likho
The campaign has been associated with a newly designated APT group referred to as Armored Likho, or Eagle Werewolf, based on indirect evidence. Although this group’s name has just surfaced in Kaspersky’s report, researchers are linking them to prior activities involving the AquilaRAT malware.
Both AquilaRAT and BusySnake Stealer exhibit similar architectures and operate through comparable command and control endpoints, masking their operations as legitimate Microsoft utilities. As per current intelligence, Armored Likho remains active, and despite efforts to obfuscate their tactics and evolve their malware variants, Kaspersky continues to track the group’s activities, persistently monitoring for new campaigns.