The Russian aerospace and defense industry has been targeted by a cyberspy campaign that offers a backdoor called the Eaglet to promote data delamination.
An activity called Operation Cargotalon is assigned to a threat cluster tracked as UNG0901 (short for unknown group 901).
“The campaign aims to target employees of the Voronezh Aircraft Production Association (VASO), one of Russia’s major aircraft production entities. One of Russia’s major aircraft production entities is said by Subhajeet, who is important for Russian logistics operations.
The attack begins with a spear phishing email with a cargo delivery-themed lure that includes a ZIP archive. Among them is a Windows Shortcut (LNK) file that uses PowerShell to view decoy Microsoft Excel documents, and deploys the Eaglet DLL implant to the host.
See Obltrantterminal, a Russian railway container terminal operator authorized by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.
Eaglet is designed to collect system information and establish connections to hard-coded remote servers (185.225.17[.]104″) to handle HTTP responses from the server and extract commands that are executed on compromised Windows machines.
Although the implant supports shell access and the ability to upload/download files, the exact nature of the next stage payload delivered through this method is unknown.
Seqrite said he discovered a similar campaign targeting the Russian military sector in Eglet, not to mention the source code, but also the overlap with another threat cluster that was tracked as Headmare, known to target Russian entities.
This includes functional similarities between Eaglet and PhantomDL, GO-based backdoors with shell and file download/upload capabilities, and similarity of the naming scheme used for attachments for phishing messages.
The disclosure is believed to be attributed to a fresh wave of attacks this month, a Russian state-sponsored hacking group called UAC-0184 (aka HIVE0156), which recently targeted Ukrainian victims to Renkosratt victims.
Threat actors have a history of delivering Remcos Rat since early 2024, but the newly discovered attack chain that distributes malware has been simplified, and use weaponized LNK or PowerShell files to obtain decoy files and hijacking loaders (aka IDAT loaders) payloads.
“HIVE0156 provides weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos Rat,” said IBM X-Force, adding, “We have observed major decoy documents that focus on the Ukrainian military and suggest that it will evolve into a potential audience.”
Source link
