A relatively new threat actor known as YoroTrooper is likely made up of operators originating from Kazakhstan.
The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government’s Anti-Corruption Agency.
“YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region,” security researchers Asheer Malhotra and Vitor Ventura said.
First documented by the cybersecurity company in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name SturgeonPhisher.
YoroTrooper’s attack cycles primarily rely on spear-phishing to distribute a medley of commodity and open source stealer malware, although the group has also been observed using the initial access vector to direct victims to attacker-controlled credential harvesting sites.
“The practice of credential-harvesting runs complementary to YoroTrooper’s malware-based operations with the end goal being data theft,” the researchers said.
Public disclosure of the threat actor’s campaigns has prompted a tactical revamp of its arsenal, pivoting from commodity malware to custom tools programmed in Python, PowerShell, Golang, and Rust.
The actor’s strong ties to Kazakhstan stem from the fact that it regularly conducts security scans of the state-owned email service, mail[.]kz, indicating continued efforts to monitor the website for potential security vulnerabilities.
It also periodically checks for currency conversion rates between Tenge and Bitcoin on Google (“btc to kzt”) and uses alfachange[.]com to convert Tenge to Bitcoin and pay for infrastructure upkeep.
Beginning in June 2023, YoroTrooper’s targeting of CIS countries has been accompanied by an increased focus on bespoke implants, while simultaneously using vulnerability scanners such as Acunetix and open-source data from search engines like Shodan to locate and infiltrate victim networks.
Some of the targets included Tajikistan’s Chamber of Commerce, the Drug Control Agency, the Ministry of Foreign Affairs, Kyrgyzstan’s KyrgyzKomur, and the Ministry of Energy of the Republic of Uzbekistan.
Another notable aspect is the use of email accounts to register and purchase tools and services, including a NordVPN subscription and a VPS instance from netx[.]hosting for $16 a month.
A major update to the infection chain entails porting its Python-based remote access trojan (RAT) to PowerShell as well as employing a custom-built interactive reverse shell to run commands on infected endpoints via cmd.exe. The PowerShell RAT is designed to accept incoming commands and exfiltrate data via Telegram.
In addition to experimenting with multiple types of delivery vehicles for their backdoors, YoroTrooper is said to have added Golang- and Rust-based malware as of September 2023, allowing it to establish a reverse shell and harvest sensitive data.
“Their Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2 communication,” the researchers explained.