APT Group Planted Backdoors to Spy on Central Asian Companies and a Governmental Institution
The group planted backdoors to gain long-term access to corporate networks. Based on the analysis, Avast suspects the group was also behind attacks active in Mongolia, Russia, and Belarus
Avast, a provider of digital security and privacy products, released a joint analysis of an APT attack targeting Central Asian companies and institutions. Avast worked together with malware analysts from ESET to analyze samples used by an APT group to spy on a telecommunications company, a gas company, and a governmental institution in Central Asia.
The group planted backdoors to gain long-term access to corporate networks. Based on the analysis, Avast suspects the group was also behind attacks active in Mongolia, Russia, and Belarus. Avast believes the group is from China, based on the use of Gh0st RAT, which has been known to be used by Chinese APT groups in the past and similarities in the code Avast analyzed and code recently analyzed in a campaign attributed to Chinese actors.
The backdoors gave the actors the ability to manipulate and delete files, take screenshots, alter processes, and services, as well as execute console commands, and remove itself. Additionally, some commands had the capability to instruct the backdoors to exfiltrate data to a C&C server. Infected devices could also be commanded by a C&C server to act as a proxy or listen on a specific port on every network interface. The group also used tools such as Gh0st RAT and Management Instrumentation to move laterally within infiltrated networks.
“The group behind the attack frequently recompiled their custom tools to avoid antivirus detection, which, in addition to the backdoors, included Mimikatz and Gh0st RAT. This has led to a large number of samples, with binaries often protected by VMProtect, making analysis more difficult,” said Luigino Camastra, malware researcher at Avast. “Based on what we have discovered and the fact that we were able to tie elements of these attacks back to attacks carried out on other countries, we assume this group is also targeting further countries.”
Avast reported its findings to the local CERT team, and reached out to the affected telecommunications company it discovered was under attack.