Hackers Deploy New Malware Disguised as Networking Software Updates

A sophisticated backdoor has been uncovered targeting major organizations across Russia, including government bodies, financial institutions, and industrial sectors.

This malware, distributed under the guise of legitimate updates for ViPNet a widely used software suite for creating secure networks poses a significant threat to affected entities.

Our ongoing investigation into this cyber incident underscores the urgency of sharing preliminary findings to help at-risk organizations bolster their defenses against this insidious attack.

The malware’s distribution method, technical execution, and potential impact reveal a meticulously planned operation by advanced persistent threat (APT) actors.

Sophisticated Backdoor Targets Russian Organizations

The attackers have cleverly impersonated ViPNet updates, packaging their malicious payload within LZH archives that mimic the structure of authentic software updates.

These archives typically contain four key components: a configuration file named action.inf, a legitimate executable called lumpdiag.exe, a malicious executable disguised as msinfo32.exe, and an encrypted file housing the core payload with varying filenames.

According to the Report, the action.inf file instructs the ViPNet update service (itcsrvup64.exe) to execute lumpdiag.exe with a specific argument (–msconfig).

While lumpdiag.exe itself is benign, it is vulnerable to a path substitution technique, enabling the attackers to hijack the process and execute the malicious msinfo32.exe.

This loader then decrypts and loads the backdoor into memory, establishing a connection to a command-and-control (C2) server via TCP.

Once active, the backdoor empowers attackers to exfiltrate sensitive data, deploy additional malicious components, and maintain persistent access to compromised systems.

Kaspersky solutions have identified this threat as HEUR:Trojan.Win32.Loader.gen, and the ViPNet developer has confirmed targeted attacks on some users, issuing security updates and recommendations in response.

Multi-Layered Defense Against Evolving Threats

The complexity of this attack highlights the escalating sophistication of APT-driven cyberattacks, where adversaries exploit trusted software update mechanisms in unexpected ways to infiltrate high-value targets.

The ability to disguise malware as routine updates underscores the need for robust, multi-layered security architectures to counter such threats.

Defense-in-depth strategies, as implemented in products like Kaspersky NEXT, are critical for businesses to detect and mitigate similar attacks.

These solutions integrate advanced endpoint protection, threat intelligence, and proactive monitoring to safeguard against both known and emerging threats.

Organizations are urged to scrutinize update processes, verify the integrity of software patches, and deploy comprehensive security measures to prevent unauthorized access.

For actionable insights, indicators of compromise (IoCs) including specific hashes of the malicious msinfo32.exe and file paths where the malware resides have been identified.

These hashes include 018AD336474B9E54E1BD0E9528CA4DB5, 28AC759E6662A4B4BE3E5BA7CFB62204, and others, with malicious files often located in temporary update folders under %TEMP% or %PROGRAMFILES%.

Access to a full list of IoCs is available through Kaspersky Threat Intelligence services.

As this threat continues to evolve, staying informed and proactive is paramount for organizations aiming to shield themselves from such covert and damaging cyberattacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!