Chinese hackers break air gaps in Eastern Europe

Payload hidden in the memory of legitimate applications

Air gapped systems are not connected to a network, for security reasons

Image:

Air gapped systems are not connected to a network, for security reasons

A group of Chinese hackers has been identified as the culprit in a months-long campaign to compromise and steal data from air gapped systems across Eastern Europe.

Researchers at Kaspersky have pointed the finger at a group known as APT31, aka Zirconium and Judgement Panda, as being behind a sustained malware-based attack on industrial organisations in Europe.

The campaign aimed to compromise systems and establish a permanent channel to exfiltrate data, including information stored on air gapped systems, using removable media.

Air gapping means a system is not directly connected to the internet or other insecure networks, and may also be physically isolated. They typically hold important, sensitive data and/or fulfil critical roles in a business.

According to Kaspersky, the hackers installed more than 15 implants of the FourteenHi malware and variants, each for a distinct stage of the operation.

The company is confident in blaming APT31 for the attacks because of the similarities between this and other campaigns the group has launched, such as ExCone and DexCone. These used similar tactics and also relied on FourteenHi variants.

Three stages of attack

The attacks, first seen in April 2022, involve multiple stages, with specific implants for each.

The first stage implants are used for persistent remote access and initial data gathering. Then, the second stage set gather data and files using USB propagation. This stage involves two types of implants: one to collect and archive various data on the local machine, and the other to collect information about removable drives, shadow copy their contents and infect them with a worm. The worm was then used to exfiltrate data from air-gapped networks.

Finally, the third stage implants are used to upload data to command and control (C2) servers.

The second stage malware consists of four modules:

The first module targets removable drives. It collects information about a drive, collects stolen files and plants second-step malware on newly connected drives, as well as capturing screenshots and window titles on the infected system.
The second module infects removable drives by copying a legitimate McAfee executable, known to be vulnerable to DLL hijacking, and a malicious DLL payload onto the device's root directory. It then sets them to "hidden". The module also creates a lure link file (.LNK) in the root directory that triggers the infection if opened.
The third module executes a batch script to collect data and save the output to the drive's "$RECYCLE.BIN" folder, where the first module can collect it.
Finally, the fourth module - only seem in some attacks - is a variant of others. It consists of a payload dropper, like the second module, and the payload itself - a modified version of the first module. It is designed to collect information about a drive, collect files and capture screenshots and keystrokes, but without the routine responsible for infecting a removable drive.

APT31 tried to make detecting and analysing the threat more difficult by hiding the payload and malicious code in binary data files and the memory of legitimate applications.

A full technical report is available on the Kaspersky Threat Intelligence portal.