Chinese Cyberespionage Group APT31 Targets Eastern European Entities

Modus operandi

• The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing service, to deliver next-stage malware.  
• A total of 15 implant variants with different capabilities were used in the attack.
• Some of these were different versions of FourteenHi malware, which were distributed as first-stage implants, enabling attackers to gain persistent remote access, upload and download files, and initializing a reverse shell.
• In addition, the attackers leveraged a new malware, dubbed MeatBall, that comes with vast remote access capabilities, including making a list of processes running on systems, capturing screenshots, and using a remote shell.
• Another interesting implant was found using Yandex cloud data storage as the C2 server. It exfiltrated computer names, usernames, IP addresses, Mac addresses, and OS versions from compromised systems.  

Europe remains a hotbed for attacks

• Recently, RomCom attackers were tied to a phishing campaign that targeted the European delegates who attended the NATO Summit in Vilnius, Lithuania. The campaign used typosquatting techniques and spear-phishing emails to infect visitors with malware. 
• In a separate incident, researchers discovered a wave of attacks targeted European entities, especially those focused on foreign policy, with the PlugX malware, using the HTML Smuggling attack technique.
• Meanwhile, a 10 times increase was observed in the frequency of BEC attacks across Europe between June 2022 and May 2023, as compared to the previous year. 

Conclusion