YoroTrooper is an espionage-focused threat actor that has been active since at least June 2022 [4]. They are believed to originate from Kazakhstan and primarily target state-owned entities in Commonwealth of Independent States (CIS) countries [2].

Description

YoroTrooper [1] [2] [3] [4] [5] [6] [7], originating from Kazakhstan [2] [5] [7], demonstrates fluency in Kazakh and Russian languages [7], uses Tenge currency for operating infrastructure [7], and selectively targets Kazakhstani entities, particularly the government’s Anti-Corruption Agency [4] [7]. Their main focus is on state-owned entities in CIS countries such as Tajikistan, Kyrgyzstan [2] [3] [5], and Uzbekistan [2] [3] [4] [5].

YoroTrooper shows a defensive interest in the website of the Kazakhstani state-owned email service and regularly evaluates its security [4]. They have recently transitioned from using commodity malware to developing custom tools programmed in Python [3], PowerShell [2] [3] [5], Golang [2] [3] [5], and Rust [2] [3] [5] [6]. Their infection chain includes a Python-based remote access trojan (RAT) and a custom-built interactive reverse shell [2]. Additionally, they have incorporated Golang- and Rust-based malware to establish a reverse shell and harvest sensitive data [2].

Spear-phishing and credential harvesting techniques are heavily relied upon by YoroTrooper to steal data. They utilize email accounts to register and purchase tools and services [2] [5], including a NordVPN subscription and a VPS instance [5]. To conceal their operations [4], YoroTrooper employs VPN exit nodes in Azerbaijan. The threat actor speaks Kazakh [4], Russian [1] [4] [7], and Uzbek languages [4], further supporting their ties to Kazakhstan [4]. Obfuscation techniques are also employed in their activities, including disguising attacks as originating from Azerbaijan. Currency conversion rates are monitored [3], and Bitcoin is used for infrastructure upkeep [3].

YoroTrooper’s targets have included organizations in Tajikistan [3], Kyrgyzstan [2] [3] [5], and Uzbekistan [2] [3] [4] [5]. They have been experimenting with different delivery vehicles for their backdoors and have added Golang- and Rust-based malware to their arsenal [5]. Telegram is used for data exfiltration and C2 communication [5]. YoroTrooper has expanded their spam operations and employed false flags to mislead researchers [6]. Between May and August 2023 [6], they compromised state-owned websites and government officials’ accounts [4] [6].

Conclusion

The activities of YoroTrooper have significant impacts on the targeted entities, particularly state-owned organizations in CIS countries. Mitigations should focus on strengthening email security, raising awareness about spear-phishing and credential harvesting techniques, and implementing robust threat detection and response mechanisms. The future implications of YoroTrooper’s evolving tactics and techniques require continuous monitoring and proactive defense measures to safeguard against their espionage activities.

References

[1] https://thecyberwire.com/newsletters/daily-briefing/12/205
[2] https://thehackernews.com/2023/10/yorotrooper-researchers-warn-of.html
[3] https://www.redpacketsecurity.com/yorotrooper-researchers-warn-of-kazakhstan-s-stealthy-cyber-espionage-group/
[4] https://blog.talosintelligence.com/attributing-yorotrooper/
[5] https://vulners.com/thn/THN:319DF09150532549FC0390943E1BBF83
[6] https://blog.talosintelligence.com/threat-source-newsletter-oct-26-2023/
[7] https://cyber.vumetric.com/security-news/2023/10/26/yorotrooper-researchers-warn-of-kazakhstan-s-stealthy-cyber-espionage-group/