A new malware campaign known as DownEx has been discovered to be actively targeting government institutions in Central Asia for cyber espionage, according to a report by Bitdefender. The malware was first detected in 2022 in a highly targeted attack aimed at exfiltrating data from foreign government institutions in Kazakhstan. Researchers later observed another attack in Afghanistan. Interestingly, the researchers noted that the domain and IP addresses involved do not appear in any previously documented incidents, and the malware does not share any code similarities with previously known malicious software. The incident highlights the sophistication of modern cyber attacks, as cybercriminals find new methods for making their attacks more reliable. It is believed that a state-sponsored group is responsible for these incidents, though the attacks have not been attributed to any specific threat actor.
Bitdefender suspects that a Russian group may be responsible for the attacks. One clue pointing to the attack’s origin is the use of a cracked version of Microsoft Office 2016 popular in Russian-speaking countries, known as “SPecialisST RePack” or “Russian RePack by SPecialiST.” It is also unusual to see the same backdoor written in two languages, a practice previously observed with group APT28 (Russia-based) with their backdoor Zebrocy. The initial access method used by the group is likely phishing emails, with most likely the threat actors using social engineering techniques to deliver a spear-phishing email with a malicious payload as the initial access vector.
The attack used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document when the victim opens the attachment. Two files were downloaded, a lure document displayed to the victim and a malicious HTML application with the embedded code that runs in the background. The payload is designed to establish communication with the command-and-control servers.
Upon execution, DownEx moves laterally across local and network drives to extract files from Word, Excel, and PowerPoint documents, images and videos, compressed files, and PDFs. It also looks for encryption keys and QuickBooks log files. DownEx exfiltrates data using a password-protected zip archive, limiting the size of each archive to 30 MB. In some cases, multiple archives were exfiltrated.
To prevent attacks like this, researchers advise organizations to focus on implementing a combination of cybersecurity technologies to harden their security posture. Technologies such as advanced malware detection with machine learning that can identify malicious scripts, email filtering, sandbox for the detonation of suspicious files, network protection that can block C2 connections, and detection, and response capabilities that extend beyond the endpoints to networks.
The news of the new malware strain involved in cyber espionage comes a day after the US announced that it had disrupted one of the most sophisticated malware sets used by the Russian intelligence services, Snake malware. The US government attributes the Snake malware to the Turla unit within Center 16 of the Federal Security Service of the Russian Federation (FSB). The Turla unit has used several versions of Snake malware in the last 20 years to steal sensitive documents from hundreds of computer systems across at least 50 countries. Its targets included governments, journalists, and other targets of interest to the Russian Federation, including the NATO nations.
Post Russia’s invasion of Ukraine in 2022, cyber espionage activities from Russia on Ukraine and countries that support Ukraine have significantly intensified. Governments are actively trying to disrupt these activities and prevent state-sponsored groups from carrying out the attacks. In conclusion, it is important to create awareness among the vulnerable about these new malware campaigns targeting Central Asia and cyber espionage incidences before its is too late.