Government, energy, and international organizations in Europe have been the focus of a cyber espionage effort that has been ongoing since at least June 2022 by a previously unknown threat actor known as YoroTrooper.
“Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots,” Cisco Talos researchers Vitor Ventura and Asheer Malhotra said in a recent analysis.
Azerbaijan, Kyrgyzstan, Tajikistan, Turkmenistan, and other Commonwealth of Independent States (CIS) are prominent examples of the countries targeted. It is thought that the threat actor speaks Russian due to the victimology patterns and the existence of Cyrillic snippets in some of the implants. However, it has been discovered that the YoroTrooper intrusion set shares tactical similarities with the PoetRAT team, which was identified in 2020 and was using coronavirus-themed baits to attack the government and energy sectors in Azerbaijan.
YoroTrooper uses a combination of commercial and open-source stealth programs like Ave Maria (also known as Warzone RAT), LodaRAT, Meterpreter, and Stink to collect data. The infection chains are spread using spear-phishing, malicious shortcut files (LNKs), and fake documents disguised as ZIP or RAR archives. The LNK files work as straightforward downloaders to run an HTA file downloaded from a distant server, which is then used to show a bait PDF document. At the same time, a dropper is secretly launched to deploy a customized stealer that uses Telegram as an exfiltration channel.
The usage of LodaRAT is significant because it shows that various operators are using the malware, despite the fact that Kasablanka, another group, is responsible for its attribution. Kasablanka has also been seen spreading Ave Maria in recent efforts aimed at Russia. Reverse shells and a keylogger built-in C that can capture keystrokes and save them to a file on disk are further support tools that YoroTrooper may use.
According to the researchers, it is important to note that while this campaign started by disseminating common malware like Ave Maria and LodaRAT, it has drastically developed to now incorporate Python-based malware. This shows an escalation in the threat actor’s efforts, which are probably the result of successful breaches during the campaign.