CyberWire Daily - The malicious YoroTrooper in disguise. [Research Saturday]
Episode Date: November 18, 2023Asheer Malhotra from Cisco Talos discussing their research and findings on "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." Cisco Talos' research team, released research ...attributing the work of the espionage-focused threat actor, YoroTrooper, to individuals based in Kazakhstan. The research states "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region." They also found that the YoroTrooper continues to rely heavily on phishing emails that direct victims to credential harvesting sites. The research can be found here: Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
So we've been tracking Eurotrooper for quite some time now.
This is an APT group that has been active since at least 2022, so about two years now.
That's Ashir Malhotra, technical lead for security research with Cisco Talos.
The research we're discussing today is titled,
Kazakhstan-Associated Eurotrooper Disguises Origin of Attacks as Azerbaijan.
And this is our second piece of research that we've released on Eurotrooper this year.
About six or seven months ago in March 2023, we wrote the first paper on Eurotrooper.
And that is how this second piece of research came into being.
Well, let's go through some of it together here.
I mean, let's start with some basics.
Who is Eurotrooper and what are they trying to achieve here?
So Eurotrooper is an APT group that is primarily focused on espionage and data theft,
likely to support the objectives of a specific nation state.
We've seen this group being active since 2022,
and they primarily target entities inside CIS countries,
the Commonwealth of Independent States, basically.
They use a wide variety of TTPs,
from credential harvesting to spear phishing
to building their own types of malware
and using commodity malware and so on and so forth.
And they're trying to make it seem as though
they're coming from Azerbaijan?
That's right.
So they've put in very special efforts
to try to disguise the origin of their operations
to seem like they're coming out of Azerbaijan
in the sense that they will frequently try to purchase
VPN infrastructure in Azerbaijan.
They will try to look for physical addresses
that they can use, random physical addresses
that they can use so that they can fill out forms
for subscribing to these services that they can use, random physical addresses that they can use so that they can fill out forms for subscribing to these services that they can use in their malicious
operations. And we know for a fact that some of the operators of the Euro Trooper Threat Actor Group,
they're not familiar with the Azerbaijani language. So whenever they're filling out forms,
they will copy and paste and translate content from the form, which is written in Azerbaijani, to either Russian or the Kazakh language.
And then they'll try to figure out what needs to go where
so that they can subscribe to those services.
Wow, so not the most subtle or nuanced approach here to filling out those forms.
Not really, not really.
This is an actor that focuses a lot on learning on the go.
actor that focuses a lot on learning on the go. So sometimes they will compromise their operational security in order to get something done, basically.
I see. Well, let's walk through their activities together here. What are some of the things that
you and your colleagues have observed? So first of all, we've seen them
route their operations, actively try to route their operations through Azerbaijan.
We also assess with high confidence that EuroTrooper, at least in part,
comprises of individuals that are associated with Kazakhstan.
This is because we saw them use Kazakh currency
and we saw them trying to convert Kazakh currency into cryptocurrency,
which they then use to buy infrastructure and
computing resources so that they can use these resources in their malicious operations.
We also know that some of their operators know the Russian language as well as the Kazakh language.
And then strangely enough, we've seen that some of them are weirdly paranoid about the security of Mail.kz, which is Kazakhstan's email service.
And when you consider all of this together, you know where all of this points to.
And you can see that the group is associated with Kazakhstan in some form, if not directly, then indirectly at least.
Yeah. What about their activities themselves? I mean, what sort of tools are they using to go
after their victims? So back in 2022, when we first started tracking this threat actor,
they primarily relied on credential phishing. Basically, they'd set up a web page that
masqueraded as that of a legitimate service
and they would try to harvest credentials
from their victims.
However, over the past two years,
we've seen them move from credential phishing
to building actual malware.
When they started building their actual malware,
they started using a lot of commodity malware,
which is readily available on the internet,
such as Warzone and LoaderAd and StingStealer.
However, over the recent months, we've seen these threat actors start retooling their malware arsenal in the sense that they are now building their own custom-built malware.
And in fact, there are some malware that they've put across different platforms.
For example, there's a piece of malware that they use that has been written in PowerShell.
It's also been written in Golang and it's also been written in Rust.
So they're trying to diversify as much as possible.
And they've seen a huge amount of success.
Evidently, they've seen a huge amount of success with these custom-built tools,
which is why they want to rely on them more and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
What are the capabilities of the malware they're deploying?
The intention of this group is to carry out espionage and data theft. So they
will try to build malware that allows them to exfiltrate documents of interest from an infected
machine or from an infected victim. It allows them to log keystrokes. It allows them to take
screenshots of the desktop and of applications that are open on the victim's machine.
It also allows them to make videos and capture videos from them.
Also, they are very interested in the browsing habits of their victims as well.
So they will try to exfiltrate and record the browsing history, the cookies, and anything that's related to the browser.
In fact, any credentials that are stored in various kinds of browsers, they will use their malware.
Eurotrooper will use their malware to exfiltrate all of that from a victim's machine.
Now, you mentioned earlier that they seem to be going after folks in the Commonwealth of Independent States.
Are there particular individuals that they're targeting?
We've seen them, Eurotrooper, primarily go after government entities in CIS countries,
such as Azerbaijan, Tajikistan, Uzbekistan, Kyrgyzstan, and even Belarus and Russia as well.
Of late, we have also seen that Eurotrooper has a very specific interest in the energy
sector, primarily energy companies that are associated with the government or infrastructure
companies that are associated with the government.
So these are like public sector entities, which are sponsored or backed by different
governments in CIS countries.
And Eurotrooper tries to very aggressively go
after individuals that they think are of interest in these specific entities to infect them and to
reinfect them. And even if their attempts are thwarted, the first time they will be persistent.
And that's one of the key pillars of success for this specific APT group. Not a lot of sophistication, but highly motivated and highly aggressive.
And what do you suppose their initial access vector is?
So they rely a lot on spear phishing emails where they will send different malicious archives
consisting of different malware to their victims.
And they're going to use topical themes.
They use regional themes in their emails and in their victims. And they're going to use topical themes, they use regional themes in
their emails and in their archives. It's basically a social engineering trick to coerce their users,
their victims into opening up the malware and infecting themselves.
And one of the things I noted in your research was that you all saw them perhaps make some
adjustments after you had published earlier this year about them?
Yes. So that was about the retooling primarily.
We disclosed their current ongoing campaigns and we saw them go quiet for some time.
And then when they reemerged, they started distributing custom malware instead of using commodity malware.
So that was likely a lull in their operations where
they decided that they had to retool and they had to put in more efforts to evade detections and to
evade disclosures such as the ones that we've published. You mentioned that this group isn't
terribly sophisticated. Is there any sense that they're, with some of the successes that they've
had, that their sophistication could be growing or perhaps behind the scenes they're being better financed? Right. So we feel that
simply based on the technical analysis that we've done, that they're trying to learn new languages
and they're trying to learn new technical languages as well so that they can build a variety of
different malware. And that shows that they're invested in their growth.
We don't know the specifics of the financial aspect of it,
but technically speaking, they are evolving their TTPs
and their tactics and their tools
so that they can do a better job.
They already have the motivation.
They just need the technical expertise.
What are your recommendations then
for folks to best protect themselves?
So first of all, organizations need to have a layered defense model. What are your recommendations then for folks to best protect themselves?
So first of all, organizations need to have a layered defense model.
You know, they can try and attack you via email, via SMS, on your endpoints, and they'll try to steal all kinds of data from you.
So you need to have a layered defense model so that you can stop a modular attack like that of Euro Trooper at different stages in the attack cycle. Other than that, of course, it goes without saying that you should practice cyber hygiene when you find people sending you emails, interesting emails or curious emails that you're not familiar with and you're not familiar and you don't trust the actual sender.
You shouldn't be opening them up.
You shouldn't be opening documents from unknown senders and so on and so forth.
So it doesn't take a whole lot to defend yourself, but you have to do it constantly and you have
to practice cyber hygiene properly.
You know, it's interesting to me because I think for a lot of folks in our minds, we
think of espionage operators as being the best of the best, you know, the sophisticated with the best tools.
But I think this research kind of shows that persistence can be an effective avenue as well.
Exactly. So when we say APT groups and we say advanced persistent threats, they're not necessarily advanced.
They're more persistent than being advanced.
Advanced or persistent threats, right?
Right, exactly.
Our thanks to Ashir Maholtra from Cisco Talos for joining us.
The research is titled Kazakhstan Associated Euro Trooper Disguises Origin of Attacks as Azerbaijan.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Thank you. the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.