BitdefenderLabs, a security research firm, found a new campaign targeting government entities in Kazakhstan and Afghanistan. The assaults employ a new sort of malware known as DownEx. Experts suspect the attack was carried out by Russian government hackers.
The attempt was discovered in late 2022, when hackers sent out emails holding diplomatic materials. Email attachments were executable files disguised as Microsoft Word documents.
When these files were executed, they extracted two more files: one is a fake document for the victim, and the other is an HTA file containing embedded VBScript code. This code communicated with the command and control server (C2) and delivered the second stage’s payload.
Researchers from Bitdefender were unable to get the second stage of the assault, but they speculated that it contained a secret module that allowed permanent access to the infected PC.
Hackers Advanced Tools
Furthermore, the criminals employed their own instruments, including two C/C++ tools designed to check out all network resources, a Python script to establish continuous communication with and obtain commands from a C2 server, and C++ malware (diagsvc.exe or DownEx) used to exfiltrate the data.
Investigators were unable to determine who was responsible for the attack, although they did discover many signs pointing to Russian involvement. The usage of a hacked version of Microsoft Office 2016, which is widespread in Russian-speaking regions, is one of them. A further instance is the usage of the same hidden module written in two languages, as witnessed by the APT28 group when they employed their hidden module Zebrocy.
This incident exemplifies how cybersecurity is becoming an increasingly important concern for governments and enterprises all across the world. DownEx virus is a novel threat capable of spying and disruption. To safeguard your PCs from such assaults, Bitdefender researchers advise being attentive and utilizing dependable antivirus software.