The Chinese threat actor APT31 has been identified as the developer of advanced backdoors capable of exfiltrating sensitive information to Dropbox.
The Chinese threat actor APT31 has been identified as the developer of advanced backdoors capable of exfiltrating sensitive information to Dropbox.
The malware is part of a broader collection of more than 15 implants used by the adversary in attacks targeting industrial organizations in Eastern Europe in 2022.
Kaspersky, a cybersecurity firm, revealed that APT31's attacks involved a three-stage malware stack. Each focused on disparate aspects of the attack chain: The first stage focused on establishing persistence, the second involved gathering sensitive data, and the third transmitted the information to a remote server controlled by the attackers.
Some Variants of the second-stage backdoors could search for file names in the Microsoft Outlook folder, execute remote commands, and employ the third-stage component to exfiltrate data as RAR archive files.
A notable aspect of APT31 is using a command-and-control (C2) infrastructure within the corporate perimeter. This C2 infrastructure acted as a proxy, allowing the threat actor to extract data from air-gapped systems that lacked direct internet access.
Kaspersky also found additional tools used by APT31 to manually upload the data to Yandex Disk and other temporary file-sharing services such as extraimage, imgbb, imgshare, schollz, and zippyimage. Furthermore, one implant was explicitly configured to send data via the Yandex email service.
These findings highlight APT31's careful planning and adaptability in cyber espionage activities. The threat actor attempts to evade security measures by exploiting popular cloud-based data storage services. At the same time, this approach also increases the risk of data leakage if a third party gains access to the storage the attackers use.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?