<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">
RL Blog

The Week in Security: YoroTrooper steals credentials in Europe, AI-created videos spread malware

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs.



Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Russian-speaking threat actor YoroTrooper has breached several European organizations since June. Also: What the White House’s National Cybersecurity Strategy needs to be successful. 

This Week’s Top Story

European government and energy organizations are being breached by Russian-speaking threat actor YoroTrooper

According to The Hacker News, a not-yet-seen threat actor, known as YoroTrooper, has targeted a number of government, energy, and international organizations in several European countries since at least June 2022. The campaign was discovered by researchers at Cisco Talos, who found that the threat actor stole credentials from multiple applications, as well as browser histories, cookies, system information and screenshots via several successful compromises. 

Countries targeted include Commonwealth of Independent States (CIS) nations, such as Turkmenistan, Kyrgyzstan, and others. Researchers believe that YoroTrooper is a Russian-speaking threat actor, based on the group’s victimology patterns and the presence of Cyrillic snippets (the alphabet used for Slavic languages such as Russian and Serbian) in the implants. Researchers did also point out that YoroTrooper has tactical overlap with the PoetRAT team, a group that used coronavirus-themed scams to attack government and energy sectors in Azerbaijan in 2020. 

Regarding their attack methods, the group uses a combination of commodity and open source stealer malware, such as Ave Maria (aka Warzone RAT), LodaRAT, Meterpreter, and Stink. The group’s infection chains also used malicious shortcut files (known as LNKs) and decoy documents wrapped in ZIP or RAR archives, propagated via spear-phishing. The LNK files are what allow the group to stealthily launch a dropper to deliver a custom stealer. 

It’s worth mentioning that another threat group, Kasablanka, has been attributed to the LodaRAT stealer malware used in this campaign, and has been seen distributing the Ave Maria stealer malware in campaigns targeting Russia. While the YoroTrooper campaign did start out with these same malware strains, researchers warn that the threat group has advanced to include Python-based malware in their attacks, showcasing that the group has grown stronger after several successful compromises. 

News Roundup

Here are the stories we’re paying attention to this week… 

AI-created YouTube videos spread infostealer malware (DarkReading)

Artificial Intelligence is being used to generate videos pretending to be step-by-step tutorials on how to access programs like Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others without a license. Instead, the videos are loaded with infostealer malware that scrapes the viewer's sensitive personal data stored on the device.

Four ways to give the national cybersecurity strategy some teeth (SC Media)

ReversingLabs CEO Mario Vuksan offers four steps that the U.S. Congress can take to help the White House's national cybersecurity strategy become a reality. The Strategy, among other cybersecurity goals, calls for software makers to be held liable for insecure software products released to consumers.  

Tick APT targeted high-value customers of East Asian data-loss prevention company (The Hacker News)

A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities.

GoatRAT Android banking trojan targets mobile automated payment system (DarkReading)

An Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.

The cyber impact of the Silicon Valley Bank collapse (The Washington Post)

The collapse of Silicon Valley Bank is proving to be fertile ground for cyber scammers. And it is also might make things difficult for cybersecurity companies who have relied on the bank for financing or to hold funds.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts