Threat Signal Report

APT31 Remote Access Trojan targets Mongolia, Russia and the U.S.

Description

FortiGuard Labs is aware of a report that the hacking group APT31 targeted Mongolia, Russia, Belarus, Canada, and the United States with a Remote Access Trojan (RAT). The attack methodology is a simple spearphishing attack and does not involving any vulnerability exploits. However, some files are digitally signed with what appear to be a stolen signing certificate in order to trick the victim to open the file.


When was The Incident Reported?

Security vendor, Positive Technologies, published a blog on August 3rd, 2021.


When and How did The Attack Occur?

According to the security vendor, a series of attacks occurred from January to July 2021.


The attack appears to be a simple spearphishing attack with no sign of a vulnerability being exploited. The targets were sent an email with an executable attachment, which drops a Remote Access Trojan (RAT) upon opening.

Some samples used in this attack are signed with valid digital certificates, which appear to have been previously stolen.



Where was the Attack Found?

The blog states the attack was found in Mongolia, Russia, Belarus, Canada, and the United States.


What does FortiGuard Labs Know about APT31?

APT31 is believed to be a hacking group in China that has been on the cyber threat scene since at least 2017 and their main objective is to gather information from their targets.

Some security vendors attributed the attack on individuals associated with the 2020 US presidential election to APT31.

APT31 is likely one of the APT groups who were condemned by the White House on July 19th, 2021.


What Actions the RAT Perform?

The blog states the RAT is capable of performing following actions after receiving remote commands from the attacker:


  • get information on mapped drives
  • perform file search
  • create a process, communication through the pipe
  • create a process via ShellExecute
  • create a new stream with a file download from the server
  • search for a file or perform the necessary operation via SHFileOperationW (copy file, move file, rename file, delete file)
  • create a directory
  • create a new stream, sending the file to the server
  • self-delete


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against this attack:

W32/Agent!tr

W32/Agent.AIJ!tr

W32/Agent.FSI!tr.dldr

W32/Small.BHU!tr.dldr

W32/GenKryptik.FEOE!tr

Malicious_Behavior.SB


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.