Malware Campaign Targets Eastern European Air-Gapped Systems

Researchers at Kaspersky identified two implants used for the extraction of data from infected systems and attributed it to Beijing-aligned APT31 group.

One of the two implants spotted by Kaspersky identified removable drives and contaminated them with a worm. The other implant steals data from a local computer and sends it to Dropbox with the help of the next-stage implants.

Air-gapped equipment are typically more secure that networked computers due to their physical isolation. Large-scale industrial companies, such as power companies and oil and gas firms, as well as government agencies are among the most common users of these networks.

Air gapping is hardly a guarantee against hackers. Malware that attack air-gapped networks have been reported by security firms in the past, including a cyber espionage framework researches at Eset in 2020 Ramsay (see: Cyber-Espionage Malware Targets Air-Gapped Networks: Report). Easily the most famous example of malware jumping the air gap barrier is Stuxnet, the cyberweapon aimed at disrupting Iran’s nuclear facilities identified in 2010 and widely reported to have been coded by the United and Israel.

Kaspersky researchers say in this most reent example of malware targeting air-gap systems, they identified more than 15 implants and their variants planted by the group in various combinations.

Researchers divided the entire stack of implants into three categories:

• First-stage implants for persistent remote access and initial data gathering;
• Second-stage implants for gathering data and files, including from air-gapped systems;
• Third-stage implants and tools used to upload data to C2.

Researchers did not reveal what was the initial attack vector but said that the latest research is devoted to second-stage malware used to gather data on infected systems.