The attackers used highly camouflaged self-written espionage software.
Experts from the Solar 4RAYS research center, owned by the Solar Group of Companies, have discovered traces of international hackers activities in the systems of one of the Russian executive authorities. The attackers used a unique, carefully hidden software to conduct espionage operations, managing them through the captured servers of various organizations around the world. This hacker group has been active for at least three years, but experts have not yet been able to accurately determine its origin, and therefore it received the temporary designation NGC2180. Currently, the detected malware has been neutralized, and the affected systems have been restored.
At the end of 2023, during an audit of the infrastructure of a critical Russian agency, Solar 4RAYS analysts revealed signs of unauthorized access on one of the work computers. A subsequent more detailed study revealed several instances of multi-level malicious software (VPO), called DFKRAT, on the agency's network. During the attack, this software deployed an "implant" that provides hackers with extensive opportunities to control the system, including data theft and downloading new malware. The detected version of the malware was not previously found in open sources, but it was possible to track its evolution starting in 2021. With each update, the malware became more complex, including the use of the DLL Side-Loading technique and the refusal to transmit commands sequentially from the management server.
"We managed to find and analyze a fragment of the management server code. The file was uploaded to a public service under the name config.jsp from the Saudi Arabia IP address. Analysis of the network infrastructure showed that this was probably an intermediate victim, whose server was compromised to host a control center (C2) on it. In the current version of the implant, a hacked server component of the Institute of Nanoscience and Nanotechnology of the National Center for Scientific Research "Democritus" in Greece was used to coordinate its work, " the company said.
Dmitry Marichev, a malware expert, noted that the observed dynamics of development and improvement of the malicious architecture indicates the involvement of a well-organized and resource-rich group in the attacks, possibly with state support. Experts warn the society of information security professionals about the likelihood of new attacks from NGC2180 and call for careful monitoring of the indicators of compromise indicated in their study.
Experts from the Solar 4RAYS research center, owned by the Solar Group of Companies, have discovered traces of international hackers activities in the systems of one of the Russian executive authorities. The attackers used a unique, carefully hidden software to conduct espionage operations, managing them through the captured servers of various organizations around the world. This hacker group has been active for at least three years, but experts have not yet been able to accurately determine its origin, and therefore it received the temporary designation NGC2180. Currently, the detected malware has been neutralized, and the affected systems have been restored.
At the end of 2023, during an audit of the infrastructure of a critical Russian agency, Solar 4RAYS analysts revealed signs of unauthorized access on one of the work computers. A subsequent more detailed study revealed several instances of multi-level malicious software (VPO), called DFKRAT, on the agency's network. During the attack, this software deployed an "implant" that provides hackers with extensive opportunities to control the system, including data theft and downloading new malware. The detected version of the malware was not previously found in open sources, but it was possible to track its evolution starting in 2021. With each update, the malware became more complex, including the use of the DLL Side-Loading technique and the refusal to transmit commands sequentially from the management server.
"We managed to find and analyze a fragment of the management server code. The file was uploaded to a public service under the name config.jsp from the Saudi Arabia IP address. Analysis of the network infrastructure showed that this was probably an intermediate victim, whose server was compromised to host a control center (C2) on it. In the current version of the implant, a hacked server component of the Institute of Nanoscience and Nanotechnology of the National Center for Scientific Research "Democritus" in Greece was used to coordinate its work, " the company said.
Dmitry Marichev, a malware expert, noted that the observed dynamics of development and improvement of the malicious architecture indicates the involvement of a well-organized and resource-rich group in the attacks, possibly with state support. Experts warn the society of information security professionals about the likelihood of new attacks from NGC2180 and call for careful monitoring of the indicators of compromise indicated in their study.
