A relatively new threat actor known as YoroTrooper is likely made of operators originating from Kazakhstan.

The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government’s Anti-Corruption Agency.

“YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region,” security researchers Asheer Malhotra and Vitor Ventura said.

First documented by the cybersecurity company in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name SturgeonPhisher.

YoroTrooper’s attack cycles primarily rely on spear-phishing to distribute a medley of commodity and open source stealer malware, although the group has also been observed using the initial access vector to direct victims to attacker-controlled credential harvesting sites.

“The practice of credential-harvesting runs complementary to YoroTrooper’s malware-based operations with the end goal being data theft,” the researchers said.

Public disclosure of the threat actor’s campaigns has prompted a tactical revamp of its arsenal, pivoting from commodity malware to custom tools programmed in Python, PowerShell, Golang, and Rust.

The actor’s strong ties to Kazakhstan stem from the fact that it regularly conducts security scans of the state-owned email service, mail[.]kz, indicating continued efforts to monitor the website for potential security vulnerabilities.

It also periodically checks for currency conversion rates between Tenge and Bitcoin on Google (“btc to kzt”) and uses alfachange[.]com to convert Tenge to Bitcoin and pay for infrastructure upkeep.

Beginning in June 2023, YoroTrooper’s targeting of CIS countries has been accompanied by an increased focus on bespoke implants, while simultaneously using vulnerability scanners such as Acunetix and open-source data from search engines like Shodan to locate and infiltrate victim networks.

Some of the targets included Tajikistan’s Chamber of Commerce, the Drug Control Agency, the Ministry of Foreign Affairs, Kyrgyzstan’s KyrgyzKomur, and the Ministry of Energy of the Republic of Uzbekistan.

Another notable aspect is the use of email accounts to register and purchase tools and services, including a NordVPN subscription and a VPS instance from netx[.]hosting for $16 a month.

A major update to the infection chain entails porting its Python-based remote access trojan (RAT) to PowerShell as well as employing a custom-built interactive reverse shell to run commands on infected endpoints via cmd.exe. The PowerShell RAT is designed to accept incoming commands and exfiltrate data via Telegram.

In addition to experimenting with multiple types of delivery vehicles for their backdoors, YoroTrooper is said to have added Golang- and Rust-based malware as of September 2023, allowing it to establish a reverse shell and harvest sensitive data.

“Their Golang-based implants are ports of the Python-based RAT that uses Telegram channels for file exfiltration and C2 communication,” the researchers explained.

Source: The Hacker News

The post Yorotrooper: Researchers Warn of Kazakhstan’s Stealthy Cyber Espionage Group appeared first on Tashkent Citizen.

KATHMANDU – In December 2022, Hiru Lal Dangaura, Vikram Tiwari and Subam Chaudhary were conducting a routine check on a vulture colony in the western plains of Nepal, when they witnessed a stunning spectacle: a huge flock of pigeons. There were so many of the birds that the swarm stretched across the sky, forming a dynamic canvas of gray and white. The observers recalled hearing the rhythmic flapping of wings and the soft cooing of the birds, as they looked at them in wonder and fascination.

The discovery of the flock, estimated at some 6,500 pigeons on Dec. 14, and 7,500 the next day, has been touted as a rare phenomenon that has puzzled local researchers and bird-watchers alike, Dangaura and his colleagues wrote in a recently published study in the Nepalese Journal of Zoology.

“We had never encountered such a large assembly of pigeons in our careers,” Dangaura, a project field officer at the NGO Bird Conservation Nepal (BCN), told Mongabay.

The observation coincided with the period when in the plains started irrigating their land for their winter wheat crop.

“When water enters the fields, bird prey such as worms and insects come to the surface. The pigeons we saw were feeding on those types of prey,” Dangaura said.

The flock was made up of the South-Central Asian subspecies of the common woodpigeon, Columba palumbus casiotis, which the study authors identified from the birds’ cinnamon-colored neck. Woodpigeons aren’t considered a threatened species, since they occur in large numbers across a broad range, from Europe to West Asia and North Africa. In Nepal, the pigeon is a migratory species, and has routinely been spotted during the winter.

“However, we had never seen a flock this big,” said ornithologist Krishan Prasad Bhusal, who wasn’t involved in the study.

“The high count of this species observed by our team exceeds any known reports for this subspecies,” the study authors noted. The previous biggest flock observed by ornithologists in Nepal was around 300.

And for this particular subspecies, the size of the flock is unprecedented across its range in this part of the world, the study said. Other significant observations of the species, which the authors obntained from the citizen-science platform eBird, showed flocks of about 500 pigeons in India and 250 in Pakistan. Smaller flocks were recorded in southern Iran (40) and northeastern Iran (100).

The European subspecies, C. p. palumbus, however, has been observed in massive flocks of around 50,000 birds, said study co-author Anand Chaudhary. He added he believes the birds they saw in Nepal’s plains were likely on the Central Asian Flyway, the migration route used by large numbers of birds to overwintering and breeding grounds throughout Eurasia, the Arctic Ocean, the Indian Ocean and the associated island chains.

Various factors such as food availability, weather conditions, predator avoidance and social attraction may have led to such a large number coming together at once as they passed through Nepal, Chaudhary said.

“We don’t know [for certain] what brought the flocks in such numbers to Nepal,” he said. “There hasn’t been much research into how these birds use the flyway.”

Dangaura said that changes in climatic and environmental variables such as wind patterns and precipitation due to warming of the planet could have been a factor.

“We also considered possibilities such as the massive floods that took place in Pakistan in the summer of 2022,” the study authors said. Although most of the flood-hit areas aren’t wintering grounds for the woodpigeon, their habitats may have been affected by heavy rainfall spread across the country, the study says.

“However, to correlate the Pakistan floods to common wood pigeon irruption in Nepal is no more than speculative,” it notes. It adds such migrations may be common for the subspecies, but may not have been recorded previously due to a limited number of bird-watchers and ornithologists in the South and Central Asian region.

Chaudhary said the results call for greater effort to monitor and conserve birds along the Central Asian Flyway, and assess the potential impacts of climatic factors.

However, Bhusal said he doubts the pigeons were on the Central Asian Flyway, which he noted is frequented by waterbirds and birds of prey such as vultures. He agreed, though, that more research is needed to clear up the question.

Meanwhile, Dangaura and his team are eagerly awaiting the arrival of the coming winter to see if the pigeons return in huge numbers like last year. They tried to count them the last time around, he said, and this time plan to get a better understanding of what’s actually going on.

Source: Mongabay

The post Super Flock of Pigeons Leaves Nepali Researchers Asking What Happened appeared first on Tashkent Citizen.