Hackers Use New Malware to Breach Air-gapped Devices in Eastern Europe

Cyber Security Threat Summary:
“Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium” (Bleeping Computer, 2023).

The hackers used 15 distinct implants in attacks against Eastern Europe. Each implant was used in a specific stage of the operation. The attacks began in April of last year, and involved three separate stages. The initial implants were used to establish persistence and offered remote access to compromised system to collect data useful for reconnaissance.

During the second stage, the implants became more specialized, and used their capabilities to steal data from isolated systems using USB propagation. The third stage of the attack saw the implants uploading stolen data to the attacker controlled command and control (C2) servers.

Security Officer Comments:
The malware that targets isolated systems consists of four modules described below:

  • First module: Profiles removable drives connected to the system, collects files, captures screenshots and window titles, and drops additional payloads on the infected device.
  • Second module: Infects removable drives by copying a legitimate McAfee executable which is vulnerable to DLL hijacking, and a malicious DLL payload onto the root directory of the device, and sets them as "hidden." The tool also creates a lure LNK file that triggers the infection if the victim launches it.
  • Third module: Executes a batch script to collect data from the device and save the output to the "$RECYCLE[.]BIN" folder, from where the first module will collect it.
  • Fourth module: Variant of the first module seen in some attacks, acts as a payload dropper, keylogger, screenshot-capturing tool, and file stealer.
”In May 2022, Kaspersky noticed an additional implant used in the APT31 attacks, designed to collect local files from breached systems. That implant decrypts and injects its payload into the memory of a legitimate process to evade malware detection, then sleeps for 10 minutes and eventually copies all files that match the file type extensions defined in its configuration. The stolen files are archived using WinRAR (if not available, the malware exits) and then stored in temporary local folders created by the malware under "C:\ProgramData\NetWorks\." Ultimately, the archives are exfiltrated to Dropbox” (Bleeping Computer, 2023).


T1204.002 - User Execution: Malicious File
A system is infected when the user runs the malware believing it to be a legitimate document.

T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Uses cmd[.]exe to execute multiple commands.

T1106 - Native API
Uses the CreateProcessW function to execute commands in the Windows command line interpreter

T1053.005 - Scheduled Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor.

T1547.001 - Registry Run Keys / Startup Folder:
Malware achieves persistence by adding itself to the Registry as a startup program.

T1543.003 - Create or Modify System Process: Windows Service
Installs itself as a service to achieve persistence.

T1053.005 - Scheduled Task/Job: Scheduled Task
Malware is executed with a Windows task created by the threat actor.

T1140 - Deobfuscate/Decode Files or Information
Uses RC4 key to decrypt the malware configuration, as well as to protect communication.

T1055.002 - Process Injection: Portable Executable Injection
Malware injects itself into various legitimate processes upon execution (msiexec[.]exe, svchost[.]exe).

T1497.001 - System Checks
Employs various system checks to detect and avoid virtualization and analysis environments.

T1497.003 - Time Based Evasion
Employs various time-based methods to detect and avoid virtualization and analysis environments.

T1574.002 - Hijack Execution Flow: DLL Side-Loading
Threat actors abuse a legitimate application binary to load malicious DLL.

T1033 - System Owner/User Discovery
Threat actors use systeminfo, whoami, and net utilities to get information about the user and the infected system.

T1057 - Process Discovery
Threat actors use tasklist to enumerate running processes.

T1071.001 - Application Layer Protocol: Web Protocols
Malware uses HTTPS and raw TCP for communication with C2.

T1573.001 - Encrypted Channel: Symmetric Cryptography
Malware uses RC4 and SSL TLS v3 (using libssl[.]dll) to encrypt communication.

T1041 - Exfiltration Over C2 Channel
Threat actors exfiltrate data using Dropbox, Yandex Disk, Yandex email and temporary file sharing services as a C2 channel

Suggested Correction(s):
Air-gapped systems are an attractive target for APT groups, who typically turn to USB drives to deliver malware and exfiltrate data from the isolated environment.
  • Install security software with support for centralized security policy management on all servers and workstations and keep the antivirus databases and program modules of your security solutions up-to-date.
  • Check that all security software components are enabled on all systems and that a policy is in place which requires the administrator password to be entered in the event of attempts to disable protection.
  • Consider using Allowlisting and Application Control technologies to prevent unknown applications from being executed.
  • Consider using the Golden image configuration mode for Allowlisting and Application Control to prevent any software that is not allowed (including known vulnerable applications) from being executed.
  • Consider restricting internet access from the OT network by default, allowing access to specific users for limited periods of time and only when it is required to perform their duties.