Research Saturday 11.18.23
Ep 307 | 11.18.23

The malicious YoroTrooper in disguise.


Dave Bittner: Hello everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Asheer Malhotra: So we've been tracking YoroTrooper for quite some time now. This is an APT group that has been active since at least 2022, so about two years now.

Dave Bittner: That's Asheer Malhotra, technical lead for Security Research with Cisco Talos. The research we're discussing today is titled "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." [ Music ]

Asheer Malhotra: And this is our second piece of research that we've released on YoroTrooper this year. About six or seven months ago, in March 2023, we wrote the first paper on YoroTrooper, and that is how this second piece of research came into be.

Dave Bittner: Well, let's go through some of it together here. I mean, let's start with some basics. Who is YoroTrooper, and what are they trying to achieve here?

Asheer Malhotra: So YoroTrooper is an APT group that is primarily focused on espionage and data theft, likely to support the objectives of a specific nation-state. We've seen this group being active since 2022, and they primarily target entities inside CIS countries, the government of independent states, basically. They use a variety of TTPs, you know, from credential harvesting to spear phishing, to building their own types of malware and using commodity malware and so on and so forth.

Dave Bittner: And they're trying to make it seem as though they're coming from Azerbaijan?

Asheer Malhotra: That's right. So they've put in place special efforts to try to disguise the origin of their operations to seem like they're coming out of Azerbaijan, in the sense that they will frequently try to purchase VPN infrastructure in Azerbaijan. They even tried to look for physical addresses that they can use, random physical addresses that they can use, so that they can fill out forms for subscribing to these services that they can use in their malicious operations. And we know for a fact that some of the operators of the YoroTrooper threat actor group, they're not familiar with the Azerbaijani language. So, you know, whenever they're filling out forms, they will copy and paste and translate content from the form -- which is written in Azerbaijani -- to either Russian or the Kazakh language. And then they figure out what needs to go where so that they can subscribe to those services.

Dave Bittner: Wow, so not the most subtle or nuanced approach here to filling out those forms.

Asheer Malhotra: Not really, not really. This is an actor that focuses a lot on learning on the go. So sometimes they will compromise their operational security in order to get something done, basically.

Dave Bittner: I see. Well, let's walk through their activities together here. What are some of the things that you and your colleagues have observed?

Asheer Malhotra: First of all, we've seen them route their operations, actively try to route their operations, through Azerbaijan. We also assess with high confidence that YoroTooper, at least in part, comprises of individuals that are associated with Kazakhstan. This is because we saw them use Kaza currency and we saw them trying to convert Kaza currency into cryptocurrency, which they then use to buy infrastructure and computing resources, so that they can use these resources in their malicious operations. We also know that some of their operators know the Russian language as well as the Kaza language. And then strangely enough, we've seen that some of them are weirdly paranoid about the security of, which is Kazakhstan's email service. And when you consider all of this together, you know where all of this points to and you can see that the group is associated with Kazakhstan in some form, you know, if not directly, then indirectly at least.

Dave Bittner: Yeah. What about their activities themselves? I mean, what sort of tools are they using to go after their victims?

Asheer Malhotra: So back in 2022 when we first started tracking this threat actor, they primarily relied on credential phishing. Basically they'd set up a webpage that masqueraded as that of a legitimate service and they would try to harvest credentials from their victims. However, over the past two years, we've seen them move from credential phishing to building actual malware. When they started building the actual malware, they started using a lot of commodity malware, which is readily available on the Internet, such as Warzone and loader rack [phonetic] and Saintstealer. However, over the recent months, we've seen these threat actors start retooling their malware, in the sense that they are now building their own custom-built malware. And, in fact, there are some malware that they've put it across different platforms. For example, there's a piece of malware that they use that has been written in [inaudible 00:05:38]. And it's also been written Golang, and it's also been written in Rust. So, you know, they're trying to diversify as much as possible, and they've seen a huge amount success. Evidently, they've seen a huge amount of success with these custom-built tools, which is why, you know, they want to rely on them more and more and more. [ Music ]

Dave Bittner: What are the capabilities of the malware they're deploying?

Asheer Malhotra: The intention of this group is to carry out espionage and data theft. So they will try to build malware that allows them to exfiltrate documents of interest from an infected machine or from an infected victim. It allows them to log keystrokes. It allows them to take screenshots of the desktop and of applications that are open on the victim's machine. It also allows them to, you know, make videos and capture videos from them. Also, they are very interested in the browsing habits of their victims as well. So they will try to exfiltrate and record the browsing history, the cookies and anything that's related to the browser, in fact, any credentials that are stored in various kinds of browsers. They will use that malware, YoroTrooper will use their malware, to exfiltrate all of that from a victim's machine.

Dave Bittner: Now, you mentioned earlier that they seem to be going after folks in the Commonwealth of Independent States. Are there particular individuals that they're targeting?

Asheer Malhotra: We've seen them, YoroTrooper, primarily go after government entities in CIS countries, such as Azerbaijan, Tajikistan, Uzbekistan, Kyrgyzstan, and even Belarus and Russia as well. Of late, we have also seen that YoroTrooper has a very specific interest in the energy sector, primarily energy companies that are associated with the government, or infrastructure companies that are associated with the government. So these are like public sector entities, which are, you know, sponsored or backed by different governments in CIS countries. And YoroTrooper tries to very aggressively go after individuals that they think are of interest in these specific entities to infect them and to reinfect them. And, you know, even if their attempts are thwarted the first time, they will be persistent. And that's one of the key pillars of success for this specific APT group. Not a lot of sophistication but highly motivated and highly aggressive.

Dave Bittner: And what do you suppose their initial access vector is?

Asheer Malhotra: So they rely a lot on spearfishing emails where they will send different malicious archives consisting of different malware to their victims. And they're going to use topical teams, they use regional teams in their emails and in their archives. It's basically a social engineering trick to, you know, cause their users, their victims, into opening up the malware and infecting themselves.

Dave Bittner: Now, one of the things I noted in your research was that you all saw them perhaps make some adjustments after you had published earlier this year about them.

Asheer Malhotra: Yeah, so that was about the retooling primarily. We disclosed their current ongoing campaigns and we saw them go quiet for some time and then they reemerged and started distributing custom-built malware instead of using commodity malware. So that was likely a lull in their operations where they decided that they had to retool and they had to put in more efforts to evade detection and to evade disclosures, such as the ones that we've published.

Dave Bittner: You mentioned that this group isn't terribly sophisticated. Is there any sense that, with some of the successes that they've had, that their sophistication could be growing, or perhaps behind the scenes, they're being better financed?

Asheer Malhotra: Right. So we feel that simply based on the technical analysis that we've done that, you know, they're trying to learn new languages and they're trying to learn technical languages as well so that they can build a variety of different malware. And that shows that they're invested in their growth. We don't know the specifics of the financial aspect of it, but technically speaking, they are evolving their TTPs and their tactics and their tools so that they can do a better job. You know, they already have the motivation, they just need the technical expertise.

Dave Bittner: What are your recommendations then for folks to best protect themselves?

Asheer Malhotra: So first of all, organizations need to have a layered defense model. They can try and attack you via email, via SMS, on your endpoints and, you know, they try to steal all kinds of data from you. So you need to have a layered defense model so that you can stop a modular attack like that of YoroTrooper at different stages in the attack cycle. Other than that, of course, it goes without saying that you should practice cyber hygiene. When you find people sending you emails, you know, interesting emails, or curious emails that you're not familiar with and you're not familiar and you don't trust the actual sender, you shouldn't be opening them up. You shouldn't be opening documents from unknown senders and so on and so forth. So it doesn't take a whole lot to defend yourself, but you have to do it constantly, and you have to practice cyber hygiene properly.

Dave Bittner: You know, it's interesting to me because I think for a lot of folks in our minds, we think of espionage operators as being the best of the best, you know. They're sophisticated with the best tools. But I think this research kind of shows that persistence can be an effective avenue as well.

Asheer Malhotra: Exactly. So when we say APT groups and we say advanced persistent threats, they're not necessarily advanced, they're more persistent than advanced.

Dave Bittner: Advanced or persistent threats, right [laughing]?

Asheer Malhotra: Right, exactly. [ Music ]

Dave Bittner: Our thanks to Asheer Malhotra from Cisco Talos for joining us. The research is titled, "Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. [ Music ]