Bitdefender Spots Novel ‘DownEx’ Malware Targeting Foreign Government Agencies
A possibly Russian state hacking group has been deploying a novel backdoor against international governmental targets located in Kazakhstan and Afghanistan, reports Bitdefender.
Security researchers at the cybersecurity firm don’t have hard evidence that Russian state hackers are behind the observed attacks, but say that low confidence indicators point to Moscow. At least one victim appears to be an embassy located in Kazakhstan.
Among the indicators is a bait document created with a cracked version of Microsoft Office 2016 known as “SpecialisST RePack” that’s popular in Russian-speaking countries. Coders behind the backdoor, which Bitdefender dubs DownEx, also wrote it in Python and in C++. Using multiple programming languages is behavior security researchers have seen before in Russian intelligence hacking group APT28.
Bitdefender first spotted DownEx in late 2022. Researchers don’t know the initial infection vector, but say spear phishing is likely. The attack “used a simple technique of using an icon file associated with .docx files to masquerade an executable file as a Microsoft Word document.”
On executing, DownEx loads a Word document designed to seem inconspicuous while also activating an HTML application script. In the samples analyzed by Bitdefender, the next stage of payload retrieval from a command-and-control server failed, but researchers expect it would be malware to establish persistence.
After execution, DownEx parses local and network drives to collect a slew of files including Word, Excel and PowerPoint documents, images and videos, compressed files and PDFs. It also looks for encryption keys and QuickBooks log files.
The malware exfiltrates data using a password-protected zip archive, limiting the size of each archive to 30 megabytes.
Kazakhstan historically is a Russian ally, but ties between the two nations deteriorated following Russia’s 2022 invasion of Ukraine. The Central Asian country late last year terminated a $39 million joint telecom security project it signed with Russia in 2019. Kazakhstan’s president Kassym-Jomart Tokayev also refused to recognize the Ukrainian territories Russia claimed to have annexed and did not hold bilateral talks with Russian President Vladimir Putin during a summit of Central Asia presidents.