HQ/EMEAFind out how we can help your business
The notorious Chinese-linked advanced persistent threat group (APT), Zirconium, targets industrial organisations in the Eastern European region. Based on reports, the threat group in this campaign primarily aims to steal valuable intellectual property from victims, such as data kept on air-gapped systems.
Zirconium APT, also known as APT31, has utilised a dll hijacking technique to execute its cybercriminal operation.
The Zirconium APT operators leveraged the DLL hijacking vulnerabilities in the cloud-based data storage systems, such as Yandex or Dropbox, or sometimes file-sharing services, to deliver a next-stage payload.
Researchers also noted that the threat actors used about 15 implant variants with different capabilities in the attack.
One of the 15 implants is the FourteenHi malware. The actors utilised the malware as a first-stage implant, allowing them to establish persistent remote access, upload and download archives, and initialise a reverse shell.
In addition, the attackers adopted a new malware, MeatBall, with several remote access capabilities, including making a list of processes operating on systems, capturing screenshots, and utilising a remote shell.
Threat analysts also discovered that the attackers utilised an implant in the Yandex cloud data storage to make it their command-and-control server. Researchers believe the adversaries could have exfiltrated critical data, such as computer names, usernames, IP addresses, OS versions, and Mac addresses, from infected systems.
European organisations have remained the primary target of threat actors for the past months. RomCom attackers allegedly caused a recent phishing campaign that targeted the European delegates who participated in the NATO Summit in Lithuania. The threat actors utilised typosquatting tactics and spear-phishing emails to compromise the delegates with malware.
In a different incident, researchers uncovered a surge of attacks that targeted European firms, especially those specialising in foreign policy. The attackers spread the PlugX malware through the HTML Smuggling attack technique.
European organisations have become the primary target for numerous state-sponsored hacker groups. Moreover, they evolved into a significant attack trend currently. Organisations should use the IOCs linked to cybercriminal campaigns to know the attack pattern, which could enable them to develop security measures to mitigate the effects of an attack.
