The US Cyber Command‘s Cyber National Mission Force has uploaded eight malware samples to its VirusTotal account, linking them to Russian espionage groups.
While six out of those samples belong to ComRAT malware, the rest two belong to Zebrocy malware. These have victims mostly in Europe and Central Asia. Also, the FBI and CISA have published advisories regarding these.
The US Links Malwares to Russian State-backed Hackers
The US Cybersecurity agencies are so active to track and report about external groups, that are attacking their infrastructure in several ways. In one such reporting, the Cyber National Mission Force (CNMF) of US Cyber Command has uploaded eight new samples of malware to its VirusTotal account.
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament.
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020
Out of them, six samples are named as ComRAT malware, and the rest two are of Zebrocy malware. While the former is said to be used by the Turla hacking group, the latter is reported to be used by the APT28 gang. Both these malware groups are defined to be Russian state-backed attacker, by the US Cyber Command.
The hacking groups are reportedly using both this malware for a significant span, with ComRAT being aged over a decade. Also, the linked espionage groups are regularly updating this malware with new tools to evade detection, thus staying in the target’s system for a long. Publishing the latest samples of this malware is to let system admins learn more about it.
This can also help antivirus software vendors make new tools for detecting and preventing them. Further, the Cybersecurity and Infrastructure Security Agency (CISA) and the CyWatch of Federal Bureau of Investigation have jointly released two security advisories on the mechanism of ComRAT and Zebrocy malwares.
Researchers note that this is the first time the US government is officially linking these malwares to Russian cyberespionage groups. To date, there have been numerous attributions made by private security researchers, but not the government directly.
Attribution for both ComRAT and Zebrocy has always been done in an informal manner in reports published by privately-owned security vendors, but never in advisories published by government agencies. Also, the attacking history of ComRAT points more against national parliament and foreign affairs ministries, whereas the Zebrocy’s on embassies.