The attackers used email campaigns to achieve their goals. The emails they sent appeared legitimate and contained malicious attachments or links to them; the malware was disguised as Microsoft Windows components.
Moreover, the emails that were sent out in September to Kyrgyz telecom operators were written in the name of potential clients interested in mobile tariff plans.
When the recipients opened the attachment, an image appeared on the screen asking them to enable macros. After activation, the victim was shown a tariff plan (which, by the way, was copied from another provider), and the targeted malware was installed.
According to the analysis, the backdoor downloaded by the script (named LuciDoor) is written in C++ and can connect to C2 both directly and through system proxies and other servers in the victim's infrastructure. Its functions include gathering information about the infected device, downloading programs, and exfiltrating data.
Repeated attacks on Kyrgyz telecommunications were recorded in November. The attackers modified the bait document but made the same mistake — the document contained a name that did not match the recipient. The new Windows backdoor used in this attack is called MarsSnake and had previously been used in espionage attacks in Saudi Arabia.
The MarsSnake backdoor is notable for its ease of configuration: changes are made by updating parameters in the loader, eliminating the need to rebuild the executable file. After activation, the malware collects system data and creates a unique identifier for transmission to C2.
"Interestingly, in the attacks that occurred last year, the malicious documents were in Russian, but the settings used Arabic, English, and Chinese," noted PT ESC TI expert Alexander Badaev. "We also found a field in the files that indicates the use of the Chinese language. This may suggest that the attackers used a Microsoft Office package with the corresponding settings or a document template in Chinese."
During the attacks in January on the territory of Tajikistan, links were used instead of malicious attachments. The image prompting to enable macros was altered, and the text was in English. The targeted malware was again LuciDoor, but in a different configuration.
