A newly identified threat actor, dubbed YoroTrooper, has been observed targeting government and energy organizations in the Commonwealth of Independent States (CIS) region for espionage and data theft, Cisco warns. The group has been active since at least June 2022 and is believed to consist of Russian-speaking individuals. They have successfully compromised organizations in Azerbaijan, Kyrgyzstan, Tajikistan, and other CIS countries, as well as a European Union healthcare agency and the World Intellectual Property Organization (WIPO).
YoroTrooper tricks victims with malicious domains and typosquatted domains that resemble the legitimate websites of CIS entities. The threat actor uses phishing emails with an archive attached that carries a shortcut file (.lnk) and a decoy PDF document. The malicious payloads include AveMaria/Warzone RAT, LodaRAT, Stink Stealer, a custom-built Python-based RAT, self-developed stealers based on the open-sourced Lazagne project, and a custom-built C-based keylogger. All of these are used for data exfiltration and to receive commands from the attackers’ command-and-control (C&C) server.
Cisco has identified at least three different clusters of activity with overlapping infrastructure. They have also uncovered potential connections with other threat actors, including Kasablanka, the operators of LodaRAT, and Stibnite, the operators of PoetRAT.
To protect against YoroTrooper, organizations should be extra cautious when it comes to emails with malicious attachments and should be aware of the malicious domains and typosquatting techniques used by the group. Furthermore, they should regularly scan for malicious implants and ensure that only authorized users have access to sensitive networks, systems, and data.
In conclusion, YoroTrooper is a newly identified threat actor targeting government and energy organizations in the CIS region. The group is believed to consist of Russian-speaking individuals and has been active since at least June 2022. They use malicious domains, typosquatting, and phishing emails with malicious payloads to infect victims. Furthermore, they have potential connections with other threat actors. Organizations should be extra vigilant when it comes to emails with malicious attachments and should ensure that only authorized users have access to sensitive networks, systems, and data.
Key Points:
- YoroTrooper is a newly identified threat actor targeting government and energy organizations in the CIS region.
- The group is believed to consist of Russian-speaking individuals.
- They use malicious domains, typosquatting, and phishing emails with malicious payloads to infect victims.
- They have potential connections with other threat actors.
- Organizations should be extra vigilant when it comes to emails with malicious attachments and should ensure that only authorized users have access to sensitive networks, systems, and data.
