BleepingComputer reports that Russian government entities and IT firms had their systems compromised in a barrage of attacks late last month part of the EastWind campaign associated with Chinese state-backed hacking groups APT27 and APT31.
Intrusions commenced with the delivery of phishing emails with RAR archives deploying a backdoor that facilitated the injection of the APT31-linked GrewApacha trojan, as well as a new version of the CloudSorcerer malware that bypasses detection through VMProtect, a report from Kaspersky revealed. Further analysis also showed that deployment of the PlugY backdoor, which features code observed in attacks by APT27. Aside from enabling file operations and shell command execution, PlugY also allows keylogging, clipboard tracking, and screen capturing, said researchers, who noted possible collaboration between APT27 and APT31 in the EastWind campaign. Organizations looking to determine impacted machines have been urged to be vigilant of DLL files larger than 5MB in the Public directory, as well as the presence of the 'msiexec.exe' process for logged-in users and unsigned 'msedgeupdate.dll' files.
