Do Son 
In a recent cybersecurity incident, a sophisticated backdoor targeting large organizations in Russia has been uncovered. The affected sectors include government, finance, and industry. Kaspersky Labs, while still investigating the attack, has released preliminary findings to help at-risk organizations take protective measures.
The backdoor was found to target computers connected to ViPNet networks. ViPNet is a software suite used for creating secure networks. The method of distribution involved LZH archives, crafted to appear as legitimate software updates. These archives contained a mix of files, including βaction.inf: a text file,β βlumpdiag.exe: a legitimate executable,β βmsinfo32.exe: a small malicious executable,β and βan encrypted file containing the payloadβ. The ViPNet developer has acknowledged the targeted attacks and has provided security updates and recommendations for their users.
The attack leverages a clever execution method. The βaction.infβ text file contains an action processed by the ViPNet update service component (βitcsrvup64.exeβ):
This command launches the legitimate file βlumpdiag.exeβ with the ββmsconfigβ argument. However, βlumpdiag.exeβ is vulnerable to path substitution, which allows attackers to execute the malicious file βmsinfo32.exeβ.
The βmsinfo32.exeβ file acts as a loader, decrypting and loading the backdoor into memory. This backdoor is capable of connecting to a C2 server via TCP, enabling attackers to steal files and launch additional malicious components. Kaspersky solutions detect this threat as HEUR:Trojan.Win32.Loader.gen.
Kaspersky Labs emphasizes the increasing complexity of cyberattacks. βAttackers can target organizations in highly unusual and unexpected ways,β highlighting the necessity of a multi-layered, defense-in-depth security strategy.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
