YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

[silversurfer]

Content source

https://thehackernews.com/2023/03/yorotrooper-stealing-credentials-and.html

A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022.

"Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a Tuesday analysis.

YoroTrooper Stealing Credentials and Information from Government and Energy Organizations

A new threat actor, YoroTrooper, has been identified by Cisco Talos as running espionage campaigns targeting government and energy organizations.

thehackernews.com

---

• Cisco Talos has identified a new threat actor, which we are naming “YoroTrooper,” that has been running several successful espionage campaigns since at least June 2022.
• YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.
• Information stolen from successful compromises include credentials from multiple applications, browser histories & cookies, system information and screenshots.
• YoroTrooper’s main tools include Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. For remote access, YoroTrooper has also deployed commodity malware, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.
• The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations.

Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency

Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey.

blog.talosintelligence.com

 

[MuzzMelbourne]

A newly identified threat actor has been observed targeting government and energy organizations in the Commonwealth of Independent States (CIS) region for espionage and data theft, Cisco warns.

Dubbed YoroTrooper, the group has been active since at least June 2022, mainly hitting governments across Eastern Europe, but was also seen compromising accounts at a European Union healthcare agency and the World Intellectual Property Organization (WIPO).

Believed to consist of Russian-speaking individuals, the group successfully compromised organizations in Azerbaijan, Kyrgyzstan, Tajikistan, and other CIS countries, and is believed to be also targeting other entities in Europe, as well as Turkish government agencies.

New Espionage Group 'YoroTrooper' Targeting Entities in European, CIS Countries

A newly identified threat actor named YoroTrooper is targeting organizations in Europe and the CIS region for espionage and data theft.

www.securityweek.com