Chinese Webdav-O Virus Attacked Russian Federal Agencies

In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as “Webdav-O” that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as “BlueTraveller,” which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called “Mail-O” that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne linking it to a variant of another well-known malicious software called “PhantomNet” or “SManager” used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

“Chinese APTs are one of the most numerous and aggressive hacker communities,” researchers Anastasia Tikhonova and Dmitry Kupin said. “Hackers mostly target state agencies, industrial facilities, mi

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Chinese Webdav-O Virus Attacked Russian Federal Agencies