Virtualization Technology News and Information
Kaspersky uncovers malware for targeted data exfiltration from air-gapped environments

Kaspersky ICS CERT shares additional research that addresses a second-stage malware succeeding the first-stage implants used for remote access and data collection in cyberattacks in Eastern Europe. This advanced tool extracts data from air-gapped systems, paving the way for the development of third-stage tools that collect and transmit the harvested data.

The research identified two specific implant types for the second stage of the attack, extracts data from infected systems. One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe. The other type of implant is designed for stealing data from local computer and sending it to Dropbox with the help of the next-stage implants.

The malware designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives.

Throughout the investigation, Kaspersky's researchers observed the threat actors' deliberate efforts to evade detection and analysis. They achieved this by concealing the payload in encrypted form within separate binary data files and embedding malicious code in the memory of legitimate applications through DLL hijacking and a chain of memory injections.

"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking might seem underscoring the sophistication of their tactics," said Kirill Kruglov, senior security researcher at Kaspersky ICS CERT. "Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyberespionage campaigns, this time it has been designed and implemented uniquely by the actor. As the investigation continues, Kaspersky remains resolute in its dedication to safeguarding against targeted cyberattacks and collaborating with the cybersecurity community to disseminate actionable intelligence."

To read the full report on the second-stage of the campaign, visit ICS CERT website.

Published Monday, July 31, 2023 8:26 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2023>