New threat actor wages espionage campaigns across Central Asia and Eastern Europe

A cybergang named YoroTrooper has been active since at least June last year. Already its victim list includes an EU health care agency and UN agency the World Intellectual Property Organization (WIPO).

The threat actor was identified and named by Cisco Talos, a cybersecurity firm. It said YoroTrooper’s main targets are government and energy organizations in Azerbaijan, Belarus, Tajikistan, and other members of the Commonwealth of Independent States (CIS).

Victims also include a handful of European embassies in Azerbaijan and Turkmenistan, and at least two accounts from a “critical” EU health care agency and the WIPO. It has carried out at least several successful campaigns since summer last year, Cisco Talos said.

“Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures we have analyzed,” the firm noted.

The threat actor relies on phishing emails as an initial attack vector. These emails typically have two attached files – a shortcut file and a decoy PDF file.

Phishing email example. Image by Cisco Talos

“The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate,” Cisco Talos said.

According to the firm, YaroTrooper uses two different tactics to trick its victims. It has been observed to either register malicious domains and then generate subdomains, or register typo-squatted domains that are similar to legitimate domains from CIS entities to host malicious artifacts.

Typo-squatting occurs when a small grammatical mistake is inserted into a URL to trick people into thinking a fake or spoof domain name is genuine.

Some of domains created by YoroTrooper. Image by Cisco Talos

YaroTrooper’s toolset includes Python-based information stealers and remote access malware, which allowed it to gain access to compromised targets’ credentials, browser histories and cookies for multiple browsers, system information, and screenshots.

“An analysis of their stolen data reveals a treasure trove of information from infected endpoints,” Cisco Talos said.

Access to credentials could be particularly valuable during efforts to move deeper into the network or during subsequent campaigns, while browsing histories may be used to tailor phishing lures to specific targets.

It is unclear where YaroTrooper originates from, but researchers found snippets of the Russian Cyrillic alphabet in some of its implants, while in some cases the attackers targeted Russian-language endpoints, suggesting their familiarity with the language.

“Our assessment is that the operators of this threat actor are Russian-language speakers, but not necessarily living in Russia or Russian nationals,” Cisco Talos said.

Beyond the CIS, the group is believed to target organizations across Europe and Turkey.