virus logo Threat Signal Report

APT31 Remote Access Trojan targets Mongolia, Russia and the U.S.

Description

FortiGuard Labs is aware of a report that the hacking group APT31 targeted Mongolia, Russia, Belarus, Canada, and the United States with a Remote Access Trojan (RAT). The attack methodology is a simple spearphishing attack and does not involving any vulnerability exploits. However, some files are digitally signed with what appear to be a stolen signing certificate in order to trick the victim to open the file.


When was The Incident Reported?

Security vendor, Positive Technologies, published a blog on August 3rd, 2021.


When and How did The Attack Occur?

According to the security vendor, a series of attacks occurred from January to July 2021.


The attack appears to be a simple spearphishing attack with no sign of a vulnerability being exploited. The targets were sent an email with an executable attachment, which drops a Remote Access Trojan (RAT) upon opening.

Some samples used in this attack are signed with valid digital certificates, which appear to have been previously stolen.



Where was the Attack Found?

The blog states the attack was found in Mongolia, Russia, Belarus, Canada, and the United States.


What does FortiGuard Labs Know about APT31?

APT31 is believed to be a hacking group in China that has been on the cyber threat scene since at least 2017 and their main objective is to gather information from their targets.

Some security vendors attributed the attack on individuals associated with the 2020 US presidential election to APT31.

APT31 is likely one of the APT groups who were condemned by the White House on July 19th, 2021.


What Actions the RAT Perform?

The blog states the RAT is capable of performing following actions after receiving remote commands from the attacker:


  • get information on mapped drives
  • perform file search
  • create a process, communication through the pipe
  • create a process via ShellExecute
  • create a new stream with a file download from the server
  • search for a file or perform the necessary operation via SHFileOperationW (copy file, move file, rename file, delete file)
  • create a directory
  • create a new stream, sending the file to the server
  • self-delete


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against this attack:

W32/Agent!tr

W32/Agent.AIJ!tr

W32/Agent.FSI!tr.dldr

W32/Small.BHU!tr.dldr

W32/GenKryptik.FEOE!tr

Malicious_Behavior.SB

Appendix

APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere (Positive Technologies)

Positive Technologies: APT group targeting government agencies around the world detected in Russia for the first time  (Positive Technologies)

The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China (the White House)


ID 38
Date Aug 04, 2021
Threat/
Vulnerability		 Remote Access Trojan
FortiGate Device Triggered N/A
Threat Actor Type APT31
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services