A new cyber-espionage threat actor called ‘YoroTrooper’ has been targeting government and energy organizations in Commonwealth of Independent States (CIS) countries since at least June 2022, according to Cisco Talos.
The group has compromised accounts of a critical European Union agency, the World Intellectual Property Organization (WIPO), and various European embassies. YoroTrooper’s tools include a combination of commodity and custom information stealers, remote access trojans, and Python-based malware, with infection occurring via phishing emails containing malicious LNK attachments and decoy PDF documents.
The group exfiltrates large volumes of data from infected endpoints, including account credentials, cookies, and browsing histories.
YoroTrooper has shifted its focus across various countries, deploying a custom Python-based implant named ‘Stink Stealer’.
The group also employs HTA to download decoy documents and dropper implants on the target’s system, deploying a custom Python stealer against the government of Tajikistan and Uzbekistan. In the most recent attacks, the group uses malicious RAR or ZIP attachments in phishing emails using lures relating to national strategy and diplomacy.
YoroTrooper was previously seen using commodity malware like AveMaria (Warzone RAT) and LodaRAT, but in later attacks, the threat actors switched to using custom Python RATs wrapped in Nuitka.
The custom RAT uses Telegram for command and control server communication and data exfiltration and supports running arbitrary commands on the infected device.
YoroTrooper employs a Python-based stealer script to extract account credentials stored in Chrome web browsers and exfiltrate them via a Telegram bot.
The attackers also started dropping a new modular credential stealer named ‘Stink’ that can collect credentials, bookmarks, and browsing data from Chrome-based browsers, snap screenshots, and steal data from Filezilla, Discord, and Telegram.
The origins and affiliations of YoroTrooper remain unknown, but the group’s use of custom malware tools indicates that they are skilled and knowledgeable threat actors.
The group’s campaigns highlight the importance of organizations maintaining high levels of cybersecurity awareness and implementing robust cybersecurity measures to protect themselves against such attacks.
