One of the follow-on payloads sent to about a dozen organizations was described by Kaspersky as a “minimal backdoor”. It has the ability to execute commands, download files, and run shellcode payloads in memory – making infections harder to detect.
Kaspersky said it observed a more complex backdoor, called QUIC RAT, which was installed on a single machine at an educational institution based in Russia. Initial analysis found that it could inject payloads into the notepad.exe and conhost.exe processes and supported various C2 communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3.
The 100 infected organizations were primarily located in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China. Kaspersky’s visibility into the attack is limited because it is based solely on telemetry provided by its own products.
Kaspersky researchers wrote:
The analysis shows that 10% of the affected systems belong to businesses and organizations. The attackers attempted to infect most of the affected machines with only an information collector payload. However, the other backdoor payload, which is more complex, has only been spotted on a dozen machines from government, scientific, manufacturing and retail organizations located in Russia, Belarus and Thailand. This method of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker intended to spread the infection in a targeted manner. However, their intention – whether it is cyber espionage or ‘big game hunting’ – is unclear at the moment.
Recent supply-chain attacks have affected Trivi, Checkmarks, and Bitwarden and over 150 packages available through open source repositories. There were at least six notable such attacks last year.
Anyone who uses Daemon Tools should take the time to scan their entire machines using reputable antivirus software. Windows users should additionally check for the indicators of compromise listed in the Kaspersky post. For more technically advanced users, Kaspersky recommends “monitoring suspicious code injection into legitimate system processes, especially when the source is an executable launched from publicly accessible directories such as temp, appdata, or public.”
<a href