- As the experts put it: "The report dwells on the analysis of a series of targeted attacks". Based on this information, we assumed that several hacker groups may be behind the attacks.
- The attackers used malware that interacted with management server via the cloud service called Yandex.Disk. The malware was dubbed Webdav-O.
- Attackers also used malicious software that accessed the cloud service Mail.ru. The malware was dubbed Mail-O.
In early June 2021, analysts from the American cybersecurity company Sentinel Labs released a report
about Mail-O. The experts wrote that Mail-O is a version of the relatively well-known malware called SManager
, which is used by the Chinese hacker group TA428
Group-IB specialists wanted to make sure that Mail-O is loader, while Smanager and Tmanger are Remote Access Trojans
(RAT). However, a part of the code overlaps in the exported functions "Entery" and "ServiceMain" of Mail-O, SManager and Tmanger, which brings us back to TA428. Moreover, hackers from TA428 have already been found to be involved in espionage against Russia, especially Russian state
To prove the hypothesis that TA428 was behind the attacks against Russian federal executive authorities in 2020, we decided to analyze a sample of Webdav-O. Group-IB Threat Intelligence & Attribution has detected similar malicious behavior before and can now explain why we link it to a specific group. Below we provide an analysis of Webdav-O samples and highlight features that overlap with the points mentioned in the SOLAR JSOC and NCIRCC report.