The TA428 APT organization is believed to have participated in attacks against various government and private IT entities in Russia and Mongolia. The event first appeared on January 21, 2021, and it seems to be continuing. Based on the infrastructure, strategies and victim organizations used by TA428, it is assessed that this attack is mainly targeted at the information technology institutions of the Russian and Mongolian governments.
The organization has been active since 2013, using customized toolsets for the IT, scientific research, internal affairs, diplomacy, politics, and financial industries. NTT researchers discovered in February 2021 TA428 attacks against East Asian defense and aviation organizations in Russia and Mongolia. The researchers assessed that the organization may continue to participate in attacks against Russian and Mongolian organizations.
TA428 is using counterfeit domain names that mimic the themes of Mongolian and Russian news websites, and it also includes two subdomains of the U.S. News Agency.
aircraft.tsagagaar [.] with
nubia.tsagagaar [.] with
gazar.ecustoms-mn [.] with
govi-altai.ecustoms-mn [.] with
gogonews.organiccrap [.] with
niigem.olloo-news [.] com
oolnewsmongol.ddns [.] info
bloomberg.mefound [.] with
bloomberg.ns02 [.] biz
x86.dll is designed for 32-bit environment, and x64.dll is designed for 64-bit environment. Once executed, the DLL file will release two files: PotPlayerMini.exe (a legitimate executable file vulnerable to DLL hijacking) and PotPlayer.dll (a PoisonIvy payload). Execute PotPlayerMini.exe to load the malicious PoisonIvy DLL. In this case, the DLL is configured to be linked to the C2 domain nubia.tsagagaar [. ] com communication. Use the EternalBlue vulnerability to move laterally and inject the initial DLL file into the lsass.exe process on the target host.