YoroTrooper Espionage Campaigns Target CIS, EU Countries

Written by

A previously unknown threat actor has been observed conducting espionage campaigns against CIS (Commonwealth of Independent States) entities.

Dubbed YoroTrooper by the Cisco Talos team, the threat actors mainly targeted government and energy organizations across Azerbaijan, Tajikistan and Kyrgyzstan.

“We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO),” reads an advisory published earlier today.

Written by Cisco Talos security researchers Vitor Ventura and Asheer Malhotra, the blog post says information stolen during the attacks included credentials from multiple applications, browser histories and cookies, as well as system information and screenshots.

“YoroTrooper’s main tools include Python-based, custom-built and open source information stealers, such as the Stink stealer, wrapped into executables via the Nuitka framework and PyInstaller,” Ventura and Malhotra explained.

Additionally, YoroTrooper used various commodity malware tools like AveMaria/Warzone RAT, LodaRAT and Meterpreter to perform remote access operations.

Regarding the infection chain, the Cisco Talos team said YoroTrooper relied on phishing emails with a file attached, usually an archive consisting of two files: a shortcut file (LNKs) and a decoy PDF file. 

The shortcut file was the initial trigger for the infection, while the PDF was the lure to make the infection look legitimate.

Read more on shortcut files here: Are We Losing the War Against Ransomware?

“To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts.”

Ventura and Malhotra added that the operators behind this threat group are Russian language speakers but are not necessarily based in the country or Russian nationals (considering the CIS victimology). The motives behind the attacks are mainly connected with information gathering and espionage.

“The custom-built Python-based RAT [used by YoroTrooper] is relatively simple,” explained Cisco Talos. “It uses Telegram as a medium of C2 communication and exfiltration [and] contains functionality to run arbitrary commands and upload files of interest to the attacker to a Telegram channel via a bot.”

The Cisco Talos advisory comes weeks after Symantec security researchers discovered another Russian-speaking stealer dubbed “Graphiron.”

What’s hot on Infosecurity Magazine?