Singapore-headquartered company Group-IB published research into a piece of malware known as Webdav-O, which was used by Chinese hackers to carry out a series of targeted attacks against Russian authorities in 2020.
The security firm found similarities between Webdav-O and Albaniiutas and a Trojan called BlueTraveller (aka RemShell) that is believed to be connected to a Chinese threat group TaskMasters.
“Chinese APTs are one of the most numerous and aggressive hacker communities,” researchers Anastasia Tikhonova and Dmitry Kupin said. “Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible.”
The report builds on the public disclosure made by SentinelOne and Solar JSOC about Mail-O in 2020 when attackers tried to gain access to the email address of Russian federal officials. At the time, SentinelOne tied it to a variant of a well-known malware PhantomNet (or SManager), created by a threat actor known as TA428.
“The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities,” Solar JSOC noted. “Cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies.”
While analyzing a webdav-O sample uploaded to VirusTotal in November 2019, Group-IB came up with some interesting conclusions about which Chinese groups could be behind the attacks against Russian federal executive authorities in 2020.
They found two variants of the Webdav-O Trojan, one for x86 and one for x64 systems. They concluded Webdav-O x64 sample was used against Russian authorities.
Further investigation into TA428’s activities has confirmed that the BlueTraveller variant is related to the new Albaniiutas malware, which was first stated in December 2020. They also confirmed that Webdav-O malware is a version of BlueTraveller, as both shared source code similarities and used the same commands.
“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” the researchers said. “This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives.”
Regarding the actor behind the attack, researchers concluded that “either both Chinese hacker groups (TA428 and TaskMasters) attacked Russian federal executive authorities in 2020 or that there is one united Chinese hacker group made up of different units.”