A new cyber threat actor, Armored Likho, has emerged, targeting government entities and the electric power sector in Russia, Brazil, and Kazakhstan. This group combines financial attack strategies on individuals with focused cyber espionage efforts against organizations.
Technical Sophistication of Armored Likho
Armored Likho employs a sophisticated suite of tools, including obfuscated, modular Remote Access Trojans (RATs) and information stealers designed to evade dynamic analysis. The group uses tools like Go2Tunnel for remote access and network tunneling, allowing them to sustain access to compromised systems, exfiltrate sensitive data, and deploy tailored modules based on the victim’s profile.
Recent research by Kaspersky indicates potential connections between Armored Likho and a threat cluster known as Eagle Werewolf, active since May 2023. This group is known for targeting government and defense sectors, especially those involved in UAV development, using advanced tactics like droppers and SSH tunnels.
Unveiling the BusySnake Stealer
The discovery of a Python-based stealer, named BusySnake, marks a significant evolution in Armored Likho’s capabilities. This malware, targeting Windows systems, includes a module that extracts cookies from web browsers. The attack chain typically begins with spear-phishing emails that deploy a RAR archive containing malicious executables from GitHub, leading to the installation of the stealer.
BusySnake is engineered to avoid detection, establishing communication with a command-and-control (C2) server to receive instructions. It can steal clipboard data, log file metadata, upload documents, capture screenshots, and ensure its persistence through scheduled tasks.
Advanced Tactics and Future Outlook
Armored Likho’s strategies highlight a trend towards more complex attack methodologies. Their integration of reverse-tunneling capabilities directly into malware, and the use of AI tools to generate first-stage payloads, underscores a growing technical maturity and adaptability. The malware’s ability to dynamically handle C2 commands and report statuses enhances operational efficiency.
The connections between Armored Likho and Eagle Werewolf, particularly through shared tactics and technologies, suggest a broader network of sophisticated cyber threats. As these groups continue to evolve, cybersecurity defenses must advance in parallel to counteract these increasingly intricate and targeted attacks.
Kaspersky’s findings emphasize the need for heightened security measures and vigilance as Armored Likho refines its toolkit, posing ongoing threats to governmental and energy sectors worldwide.
