Threat actor YoroTrooper has compromised the accounts of critical EU healthcare agencies, a number of embassies, and the World Intellectual Property Organization (WIPO).
A report (opens in new tab) from Cisco Talos (via BleepingComputer (opens in new tab)) has revealed that vast quantities of data, such as credentials, cookies, and browser histories, have been stolen from a number of infected endpoints.
These include those belonging to government agencies and energy companies of countries that are a part of Eurasia’s Commonwealth of Independent States (CIS).
YoroTrooper’s unique threat activity
Though BleepingComputer notes that YoroTrooper has previously been known to disseminate known malware like PoetRAT and LodaRAT, Cisco thinks it’s moved to designing its own Remote Access Trojans (RATs) written in Python to get the job done.
In Summer 2022, Belarusian organizations were hit by infected PDF files sent from email domains purporting to be organizations from Belarus or Russia. In September that year, YoroTrooper registered typosquatting domains to appear as similar as Russian government agencies as possible.
This strategy is rooted in YoroTrooper’s phishing emails needing to look as legitimate as possible, particularly as its latest ruse involves attaching infected RAR and ZIP attachments to gain access to national security information across the region.
In 2023, the threat group has moved fast. In January, it began issuing an infostealer script that extracts credentials from Chromium-based browsers, but in February, had already moved to a new modular tool called ‘Stink’.
The new tool, in addition to Chromium browser infiltration and basic system information, also steals data from FTP client Filezilla and messaging apps Discord and Telegram.
YoroTrooper’s motives, means, and backers are currently unknown, but the move to custom tools could turn out to be a worrying development for the corporate world.
Services Marketplace – Listings, Bookings & Reviews