Kaspersky Lab spoke about the detected wave of targeted attacks on defense enterprises and government agencies in Afghanistan, Russia and a number of countries in Eastern Europe.
In total, during the investigation, experts identified attacks on more than a dozen organizations. Presumably, the purpose of the attackers was cyber espionage. Experts suggest that the identified series of attacks may be related to the activities of the Chinese-speaking cyber group TA428. It used new modifications of previously known backdoors.
In a number of cases, the attackers managed to completely capture the IT infrastructure. To do this, they used well-prepared phishing emails. They contained inside information that was not available in public sources at the time of its use by attackers, including the full names of employees working with confidential information, and internal code names of projects. Phishing emails were accompanied by Microsoft Word documents with malicious code exploiting the CVE-2017-11882 vulnerability. It allows a malicious program to take control of an infected system without any additional actions on the part of the user; the user is not even required to enable macro execution.
As the main tool for developing the attack, the attackers used the Ladon utility with the ability to scan the network, find and exploit vulnerabilities, and steal passwords. At the final stage, they seized the domain controller and then gained full control over the workstations and servers of the organization that were of interest to the attackers. Having obtained the necessary rights, the attackers began to search for and upload files containing confidential data to their servers deployed in different countries. These same servers were used to control malware.