Chinese Threat Group 'Jewelbug' Quietly Infiltrated Russian IT Network for Months

A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group’s expansion to the country beyond Southeast Asia and South America.

“Attackers had access to code repositories and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company’s customers in Russia,” the Symantec Threat Hunter Team said in a report shared with The Hacker News. “Notably too, the attackers were exfiltrating data to Yandex Cloud.”

In the attack aimed at the Russian IT service provider, Jewelbug is said to have leveraged a renamed version of Microsoft Console Debugger (“cdb.exe”), which can be used to run shellcode and bypass application allowlisting, as well as launch executables, run DLLs, and terminate security solutions.

The infection chain is also characterized by the deployment of the KillAV tool to disable security software and a publicly available tool named EchoDrv, which permits abuse of the kernel read/write vulnerability in the ECHOAC anti-cheat driver, as part of what appears to be a bring your own vulnerable driver (BYOVD) attack.

To read the complete article see: The Hacker News