'EastWind' Cyber-Spy Campaign Combines Various Chinese APT Tools

A likely China-nexus threat actor is using popular cloud services such as Dropbox, GitHub, Quora, and Yandex as command-and-control (C2) servers in a new cyber espionage campaign targeting government organizations in Russia.

Researchers at Kaspersky are tracking the campaign as "EastWind," after uncovering it while investigating devices that had been infected via phishing emails with malicious shortcuts attachments.

Dropbox-Hosted C2 Servers

Kaspersky's analysis showed the malware was communicating with and receiving commands from a C2 server on Dropbox. The researchers also found the attackers using the initial payload to download additional malware associated with two different China-sponsored groups — APT31 and APT27 — on infected systems. In addition, the threat actor used the C2 servers to download a newly modified version of 'CloudSorcerer,' a sophisticated cyber espionage tool that Kaspersky spotted a new, eponymously named group using in attacks earlier this year that also targeted Russian government entities.

Kaspersky has perceived the use of tools from different threat actors in the EastWind campaign as a sign of how APT groups often collaborate and share malware tools and knowledge with each other.

"In attacks on government organizations, threat actors often use toolkits that implement a wide variety of techniques and tactics," Kaspersky researchers said in a blog post this week. "In developing these tools, they go to the greatest lengths possible to hide malicious activity in network traffic."

APT31 is an advanced persistent threat group that US officials have identified as working on behalf of China's Ministry of State Security in Wuhan. Earlier this year, the US Department of Justice indicted seven members of the group for their role in cyber-spy campaigns that victimized thousands of entities globally, over a period spanning 14 years. Mandiant, one of several security vendors tracking APT31 has described the threat actor's mission as gathering information from rival nations that could be of economic, military, and political benefit to China. The group's most frequent targets have included government and financial organizations, aerospace companies and entities in the defense, telecommunication, and high tech sectors.

APT27, or Emissary Panda, is another China-linked goal engaged in the theft of intellectual property from organizations in sectors that China perceives as being of vital strategic interest. Like APT31, the group has relied heavily on malware delivered via phishing emails for initial access.

Kaspersky did not tie either group specifically to the new EastWind campaign that it spotted targeting Russian government entities, but pointed out that it had observed the use of both groups' malware in the attacks.

Tools From Different China-Nexus Actors

Kaspersky has dubbed the APT31 malware that the threat actor behind EastWind is using in its campaign as "GrewApacha," a Trojan that APT31 has been using since at least 2021. The security vendor observed the threat actor behind the EastWind campaign using GrewApacha to collect information about infected systems and to install additional malicious payloads on them. The adversary meanwhile has been using the aforementioned CloudSorcerer — a backdoor that the attacker executes manually — to download PlugY, an implant with code that overlaps with APT27.

Kaspersky found the implant communicating with the the Dropbox hosted C2 servers via the TCP and UDP protocols and via named pipes — a Windows method for inter process communications. "The set of commands this implant can handle is quite extensive, and implemented commands range from manipulating files and executing shell commands to logging keystrokes and monitoring the screen or the clipboard," Kaspersky said.