Novel YoroTrooper cyberespionage campaigns examined

Several government and energy entities in Commonwealth of Independent States nations, European embassies, a healthcare-oriented European Union agency, and the World Intellectual Property Organization have been targeted by cyberespionage campaigns launched by newly-emergent threat actor YoroTrooper since June, according to BleepingComputer. YoroTrooper has been leveraging phishing emails to facilitate the distribution of NET-based implants and Python stealers in attacks against Belarus, Azerbaijan, Tajikistan, and Uzbekistan since last summer, a Cisco Talos report revealed. While earlier YoroTrooper intrusions involved the usage of the LodaRAT and AveMaria, or Warzone RAT, payloads, the attacker has since transitioned to leveraging custom Python RATs using Nuitka, which enables payload distribution even with Python installation in targeted devices. Attacks by YoroTrooper in January involved the usage of Python-based stealer script that enabled Chrome browser-stored account credential theft, while new attacks the following month involved the deployment of the novel Stink credential stealer that could exfiltrate both browser-stored data and basic system information, said researchers.