Ddos 
In a recent cybersecurity incident, a sophisticated backdoor targeting large organizations in Russia has been uncovered. The affected sectors include government, finance, and industry. Kaspersky Labs, while still investigating the attack, has released preliminary findings to help at-risk organizations take protective measures.
The backdoor was found to target computers connected to ViPNet networks. ViPNet is a software suite used for creating secure networks. The method of distribution involved LZH archives, crafted to appear as legitimate software updates. These archives contained a mix of files, including “action.inf: a text file,” “lumpdiag.exe: a legitimate executable,” “msinfo32.exe: a small malicious executable,” and “an encrypted file containing the payload”. The ViPNet developer has acknowledged the targeted attacks and has provided security updates and recommendations for their users.
The attack leverages a clever execution method. The “action.inf” text file contains an action processed by the ViPNet update service component (“itcsrvup64.exe”):
This command launches the legitimate file “lumpdiag.exe” with the “–msconfig” argument. However, “lumpdiag.exe” is vulnerable to path substitution, which allows attackers to execute the malicious file “msinfo32.exe”.
The “msinfo32.exe” file acts as a loader, decrypting and loading the backdoor into memory. This backdoor is capable of connecting to a C2 server via TCP, enabling attackers to steal files and launch additional malicious components. Kaspersky solutions detect this threat as HEUR:Trojan.Win32.Loader.gen.
Kaspersky Labs emphasizes the increasing complexity of cyberattacks. “Attackers can target organizations in highly unusual and unexpected ways,” highlighting the necessity of a multi-layered, defense-in-depth security strategy.
Donate