Russian aerospace and protection industries have develop into the goal of a cyber espionage marketing campaign that delivers a backdoor referred to as EAGLET to facilitate knowledge exfiltration.
The exercise, dubbed Operation CargoTalon, has been assigned to a menace cluster tracked as UNG0901 (brief for Unknown Group 901).
“The marketing campaign is geared toward concentrating on workers of Voronezh Plane Manufacturing Affiliation (VASO), one of many main plane manufacturing entities in Russia through utilizing товарно-транспортная накладная (TTN) paperwork — important to Russian logistics operations,” Seqrite Labs researcher Subhajeet Singha stated in an evaluation printed this week.
The assault commences with a spear-phishing e-mail bearing cargo delivery-themed lures that comprise a ZIP archive, inside which is a Home windows shortcut (LNK) file that makes use of PowerShell to show a decoy Microsoft Excel doc, whereas additionally deploying the EAGLET DLL implant on the host.
The decoy doc, per Seqrite, references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Division of the Treasury’s Workplace of International Property Management (OFAC) in February 2024.
EAGLET is designed to collect system data and set up a connection to a hard-coded distant server (“185.225.17[.]104”) so as to course of the HTTP response from the server and extract the instructions to be executed on the compromised Home windows machine.
The implant helps shell entry and the flexibility to add/obtain recordsdata, though the precise nature of the next-stage payloads delivered via this technique is unknown, on condition that the command-and-control (C2) server is at present offline.
Seqrite stated it additionally uncovered comparable campaigns concentrating on the Russian army sector with EAGLET, to not point out supply code and concentrating on overlaps with one other menace cluster tracked as Head Mare that is identified to focus on Russian entities.
This consists of the practical parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file obtain/add characteristic, in addition to the similarities within the naming scheme used for the phishing message attachments.
The disclosure comes because the Russian state-sponsored hacking group referred to as UAC-0184 (aka Hive0156) has been attributed to a contemporary assault wave concentrating on victims in Ukraine with Remcos RAT as just lately as this month.
Whereas the menace actor has a historical past of delivering Remcos RAT since early 2024, newly noticed assault chains distributing the malware have been simplified, using weaponized LNK or PowerShell recordsdata to retrieve the decoy file and the Hijack Loader (aka IDAT Loader) payload, which then launches Remcos RAT.
“Hive0156 delivers weaponized Microsoft LNK and PowerShell recordsdata, resulting in the obtain and execution of Remcos RAT,” IBM X-Pressure stated, including it “noticed key decoy paperwork that includes themes that counsel a concentrate on the Ukrainian army and evolving to a possible wider viewers.”
