Chinese hackers are reportedly now deploying malware on targets in Russia

(Image credit: TheDigitalArtist / Pixabay)

Cybersecurity researchers have detected new activity from a notorious Advanced Persistent Threat (APT) group in countries it didn’t attack earlier, particular Russia.

Detected by the Positive Technologies Expert Security Center (PT ESC), the attacks have been traced back to APT31, also referred to as Zirconium by Microsoft, which is presumed to work on behalf of the Chinese government. 

“The group's infrastructure is also growing—all this, combined with the fact that the group has not previously attacked Russia, suggests that it is expanding to countries where its increasing activity can be detected, in particular our country,” said Denis Kuvshinov, Head of Threat Analysis at the Moscow-headquartered Positive Technologies. 

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

In their analysis of the new series of attacks, detected between January and July 2021, the researchers noticed that APT31 first targeted Mongolia, before going after targets in Russia, Belarus, Canada, and the US.

Updated arsenal

PT ESC has compiled a detailed report on the new series of attacks. As is usual, phishing emerged as the initial attack vector, which tricked users by imitating a domain used by the Russian government. 

Furthermore, the attacks relied on an unseen malware; a remote access trojan (RAT) which could have enabled the group to monitor and perhaps even control the infected computers.

Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various techniques to avoid detection, it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.

“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.