Cybercriminals with ties to China are hunting Russian targets
China and Russia do not seem to be allies in cyberspace, as Russia has found malware linked to Russia on devices belonging to the Chinese government and IT providers.
Cybersecurity researchers at Kaspersky claim that they have discovered “dozens” of infected computers since late July, all of which were compromised in a campaign they dubbed EastWind. These malware samples obtained in their analysis appear to have been developed by two China-nexus groups, dubbed APT27 and APT31.
Kaspersky said the first breach was made via phishing emails. The scammers would send emails with two attachments, one legitimate and one malicious. The latter would communicate with DropBox, GitHub, Quora, LiveJournal and Yandex.Disk, which the threat actors used as a kind of command and control (C2) server.
Multiple loads
Through these cloud services, the hackers instructed the malware to download phase two payloads, including a trojan called GrewApacha and a backdoor called CloudSorcerer.
The latter was also noted in attacks on US organizations in late May 2024, The register reports. Additionally, CloudSorcerer was used to download a previously unseen implant called PlugY, which can manipulate files, execute shell commands, log keystrokes, monitor screens, edit clipboard contents, and more.
“The analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code from the DRBControl (also known as Clambling) backdoor was used to develop it,” Kaspersky said in its report. DRBControl was apparently developed by APT27. Given that the malware used in the EastWind campaign was similar to variants used by both APT27 and APT29, Kaspersky believes this “clearly demonstrates” how Chinese state-sponsored actors “very often collaborate and actively share knowledge and tools.”
At first glance, China and Russia often act as allies, supporting each other’s political and military aspirations. For example, China supports Russia’s invasion of Ukraine, while Russia echoes China’s statements about “one China”—a term used to deny Taiwan’s sovereignty and territorial integrity. However, when it comes to the battle for information, it seems that there are no alliances.