Sophisticated DownEx Malware Campaign Targeting Central Asian Governments

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,998
Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.

Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.

The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.

The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.

The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file.

Opening the attachment leads to the extraction of two files, including a decoy document that's displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background. The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not unknown, it's said to be a backdoor to establish persistence.



 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top