Cisco sounds alarm over new Russian malware campaign hitting firms in US and Europe
Cisco Talos has uncovered a new Russian-speaking threat actor aggressively targeting victims across the United States and Europe.
Tracked as UAT-11795, the group has been active since June last year, and uses trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT to steal credentials and cryptocurrency.
A staple of the threat actor’s activities lies in deployment of two previously undocumented tools: Starland RAT and WLDR agent. The first of these is a Python-based remote access tool, while WLDR agent is a PowerShell-based C2 memory implant.
WLDR agent runs entirely in-memory, and features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads.
Both are built to steal credentials, browser data, and cryptocurrency wallet assets while keeping persistent access to victim machines. The group even hides a fallback command-and-control channel in a Polygon smart contract, Cisco Talos said.
UAT-11795 targets victims’ credentials and cryptocurrency wallet assets, establishing a persistent connection to the victims’ machines from the C2 server, with the potential to deliver and execute further payloads.
How UAT-11795 operates
Most infections have been spotted in the US, according to Cisco Talos, although Germany, Romania, and Venezuela have also been hit.
UAT-11795 gains initial access to the victim machine through a ClickFix social engineering technique that entices the user to execute a command, which then stealthily downloads and executes a remotely hosted weaponized HTA file.
This runs an embedded VBScript that drops a Windows batch file into the user profile’s application temporary folder, containing instructions to first download and implant a trojanized installer from the attacker-controlled staging domain onto the victim machine.
Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, said the campaign is the latest in a string of attacks by hackers using “the very tools our remote and hybrid workers rely on”.
“By hiding the Starland RAT inside trusted software and likely utilising deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities.”
Talos’ research also uncovered a private live Telegram channel called “stuk komanda”, controlled by the same threat actor, created last June, and with three unknown subscribers.
Gabrielle Hempel, security operations strategist at Exabeam, said while the campaign specifically targets popular video conferencing software, one needn’t avoid using Zoom or WebEx.
They should, however, exercise caution. This includes making efforts to verify where software comes from, monitor for unexpected processes and persistence mechanisms.
Elsewhere, Hempel said users shouldn’t assume that ‘signed installer’ means a program is safe.
“This story is so interesting, not because of the trojans, but because of the way it shifts how we need to think about vulnerability management,” she said.
“We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems. If your security program can’t answer ‘where did this binary come from?’ as quickly as it can answer ‘is this CVE patched?’ then you are behind on your threat model.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.