Insights, news, education and announcements from PolySwarm

YoroTrooper Targeting Energy & Government Entities

Written by The Hivemind | Mar 24, 2023 6:58:36 PM

Related Families: Custom Python tools, AveMaria, Warzone RAT, LodaRAT, Stink
Verticals Targeted: Energy, Government, Healthcare


Executive Summary

YoroTrooper is a threat actor group observed targeting energy and government entities and an EU healthcare organization. Although YoroTrooper uses commodity and open-source tools, most of their final payloads are custom developed.

Key Takeaways

  • YoroTrooper is a threat actor group observed targeting energy and government entities and an EU healthcare organization.  
  • The group has been active since at least mid-2022 and is thought to be Russian speakers but not necessarily of Russia nexus.
  • The group’s most recently observed activity was in February 2023. 
  • Although YoroTrooper uses commodity and open-source tools, most of their final payloads are custom developed.

Who is YoroTrooper?

Cisco Talos recently reported on YoroTrooper, a threat actor group observed targeting energy and government entities and an EU healthcare organization.  The group has been active since at least mid-2022 and is thought to be Russian speakers, but not necessarily of Russia nexus. Most of the targeted organizations were in Azerbaijan, Tajikistan, Uzbekistan, Russia, Belarus, and Kyrgyzstan. The group’s most recently observed activity was in February 2023.

YoroTrooper appears to target these entities with espionage or reconnaissance for follow-on attacks as the main objective. The group steals victim information, including credentials, browser history and cookies, screenshots, and system information. YoroTrooper uses a variety of tools, mostly Python-based. Some are custom-built, and others are open-source. Known tools used include reverse shells, Stink stealer, the Nuitka framework, PyInstaller, AveMaria/Warzone RAT, LodaRAT, and Meterpreter. Other YoroTooper TTPs include social engineering, spearphishing, and data exfiltration.

YoroTrooper uses phishing emails with an archive attachment as an initial attack vector., The archive typically contains a decoy PDF and a shortcut file. The PDF is used as a lure to feign legitimacy.The malicious LNK shortcut file is used to trigger the infection, acting as a simple downloader and using mshta.exe to download and execute a remote HTA file.

Most of the group’s final payloads are custom developed, including a custom Python RAT, stealer, and keylogger. The Python RAT uses Telegram for C2 and is capable of running arbitrary commands on the victim machine and exfiltrating files of interest to an actor-controlled Telegram channel via a bot. YoroTrooper also uses a custom stealer script that steals Chrome browser login data and exfiltrates it to Telegram. This stealer seems to be based on Lazagne. A third custom payload is a C-based keylogger.

Cisco Talos researchers noted a potential overlap between YoroTrooper and PoetRAT team. Both share similar TTPs and victimology, targeting the same verticals and locales.

IOCs

PolySwarm has multiple samples associated with YoroTrooper.

Bab2776edef029cf4632663c59297bb25eced4f7dece18cfa45e88ce2ece42a0

F5664b2a20367afe8c291399ea3da0af3c1001617b6bd497d423f44b4853d273

30574abb4af368912a1f928fe67427bf3e678a205169516d7590f28d0b4bb286

E3f35f911f179f96352cfc5887ee5e82a82069e022b60cb35de453f1eb76d1d3

4bde6056cf67d410376bd3c319706032eb899a7548928842d63a886ffd82e1d6

2b433f5a2aa1b75d75460e6a22f142a47d9c0bc0a89035f767e10a8b571c7b28

C868185e0051c53c90ff4d5f2503b5647e8a3f3aac4aa2d0065f2178af60f7cf

96a70a20a24959dc270e12889e4bff81a86c0e4a0f23b8dc9976843940ec8ddd

F3d8916b99d7e6301a885b2ec4aaf9635f1713464c53b1604d3b4e1abd673c36

C02c7b9a82a75cb251b2b7307503284a408f20e689f1be30fe50173a8b6e288b

Db9a6efd5d64ba0ba1783c51b6d430873518fa032bf5265c6837c7674321e183

00466d76832193b3f8be186d00e48005b460d6895798a67bc1c21e4655cb2e62

8023da2c9d45536dee2020d38edec20a88b8f5115fca6335929f94c683d60dd5

27e69c96af1f692ce43706904de61f841abec45a57ff0b7a7d3cbbb417455a53


You can use the following CLI command to search for all YoroTrooper samples in our portal:

$ polyswarm link list -f YoroTrooper


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports