Cisco sounds alarm over new Russian malware campaign hitting firms in US and Europe

UAT-11795 is weaponizing legitimate software such as WebEx and Zoom to dupe victims

Hacker concept image showing silhouette of a hooded individual using a laptop computer with binary code imposed against a red backdrop.
(Image credit: Getty Images)

Cisco Talos has uncovered a new Russian-speaking threat actor aggressively targeting victims across the United States and Europe.

Tracked as UAT-11795, the group has been active since June last year, and uses trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT to steal credentials and cryptocurrency.

A staple of the threat actor’s activities lies in deployment of two previously undocumented tools: Starland RAT and WLDR agent. The first of these is a Python-based remote access tool, while WLDR agent is a PowerShell-based C2 memory implant.

WLDR agent runs entirely in-memory, and features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads.

Latest Videos From

Both are built to steal credentials, browser data, and cryptocurrency wallet assets while keeping persistent access to victim machines. The group even hides a fallback command-and-control channel in a Polygon smart contract, Cisco Talos said.

UAT-11795 targets victims' credentials and cryptocurrency wallet assets, establishing a persistent connection to the victims' machines from the C2 server, with the potential to deliver and execute further payloads.

How UAT-11795 operates

Most infections have been spotted in the US, according to Cisco Talos, although Germany, Romania, and Venezuela have also been hit.

UAT-11795 gains initial access to the victim machine through a ClickFix social engineering technique that entices the user to execute a command, which then stealthily downloads and executes a remotely hosted weaponized HTA file.

This runs an embedded VBScript that drops a Windows batch file into the user profile’s application temporary folder, containing instructions to first download and implant a trojanized installer from the attacker-controlled staging domain onto the victim machine.

Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, said the campaign is the latest in a string of attacks by hackers using “the very tools our remote and hybrid workers rely on”.

"By hiding the Starland RAT inside trusted software and likely utilising deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities."

Talos’ research also uncovered a private live Telegram channel called “stuk komanda”, controlled by the same threat actor, created last June, and with three unknown subscribers.

Exercise caution when using video conferencing tools

Gabrielle Hempel, security operations strategist at Exabeam, said while the campaign specifically targets popular video conferencing software, one needn't avoid using Zoom or WebEx.

They should, however, exercise caution. This includes making efforts to verify where software comes from, monitor for unexpected processes and persistence mechanisms.

Elsewhere, Hempel said users shouldn't assume that 'signed installer' means a program is safe.

"This story is so interesting, not because of the trojans, but because of the way it shifts how we need to think about vulnerability management," she said.

"We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems. If your security program can’t answer 'where did this binary come from?' as quickly as it can answer 'is this CVE patched?' then you are behind on your threat model."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

TOPICS
Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.