AI Security AI安全 7d ago Updated 7d ago 更新于 7天前 46

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer 装甲利霍利用BusySnake窃取者针对政府机构和电力部门

Armored Likho is a previously undocumented threat actor targeting government and power sectors in Russia, Brazil, and Kazakhstan, blending financial motives with cyber espionage. The group utilizes BusySnake Stealer, a Python-based infostealer that employs dynamic bytecode decryption and evasion techniques to bypass static analysis. Attack vectors include spear-phishing emails with malicious RAR archives and exploitation of CVE-2025-9491 (Windows shortcut vulnerability) for remote code execution 新威胁组织Armored Likho针对俄罗斯、巴西和哈萨克斯坦的政府及电力部门发动网络间谍活动,兼具金融盗窃动机。 该组织使用新型Python信息窃取工具BusySnake Stealer,具备动态解密字节码、绕过动态分析及持久化驻留能力。 攻击链始于利用CVE-2025-9491漏洞或钓鱼邮件分发载荷,并通过Go2Tunnel建立反向SSH隧道以维持C2通信。 Armored Likho可能与BI.ZONE追踪的Eagle Werewolf组织存在重叠,两者在基础设施、持久化机制及C2通信模式上高度相似。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Armored Likho is a previously undocumented threat actor targeting government and power sectors in Russia, Brazil, and Kazakhstan, blending financial motives with cyber espionage.
  • The group utilizes BusySnake Stealer, a Python-based infostealer that employs dynamic bytecode decryption and evasion techniques to bypass static analysis.
  • Attack vectors include spear-phishing emails with malicious RAR archives and exploitation of CVE-2025-9491 (Windows shortcut vulnerability) for remote code execution.
  • BusySnake features extensive capabilities including credential theft, screenshot capture, clipboard monitoring, and integration with Go2Tunnel for reverse SSH tunnels.
  • Potential links to the Eagle Werewolf cluster suggest shared infrastructure, tactics, and a focus on high-value targets like UAV manufacturers and defense organizations.

Why It Matters

This incident highlights the increasing sophistication of hybrid threat actors who combine financially motivated operations with targeted state-level espionage, necessitating enhanced detection strategies for both personal and organizational assets. The use of novel evasion techniques in Python-based malware like BusySnake underscores the need for behavioral analysis over signature-based detection, particularly for infostealers designed to bypass dynamic sandboxes. Furthermore, the exploitation of legacy vulnerabilities like CVE-2025-9491 demonstrates that even patched flaws remain critical entry points for advanced persistent threats targeting critical infrastructure.

Technical Details

  • Malware Architecture: BusySnake Stealer is a Python-based tool (PYW extension) that runs without a console window. It uses dynamic decryption of bytecode only when functions are called, re-encrypting immediately after to hinder static analysis.
  • Persistence and Evasion: The malware establishes persistence via VBScript files and scheduled tasks. It prevents concurrent instances and cleans up artifacts like screenshot archives. A newer version includes a task-management framework for C2 command status reporting (SCHEDULED, IN_PROGRESS, etc.).
  • Data Exfiltration Capabilities: Functions include stealing clipboard data, enumerating file metadata, uploading documents, capturing screenshots, logging keystrokes, and extracting cookies/passwords from Firefox and Chromium browsers. It also targets cryptocurrency wallets and Telegram sessions.
  • Network and Remote Access: Utilizes Go2Tunnel for reverse SSH tunnels to C2 servers. Can install RustDesk to hijack remote desktop sessions, capturing credentials via screenshots if the victim is prompted to log in.
  • Initial Access Vectors: Primary method is spear-phishing with lures related to government notices, delivering EXE droppers from GitHub repositories. Secondary method exploits CVE-2025-9491 via malicious LNK files to execute obfuscated PowerShell commands leading to the stealer.

Industry Insight

Security teams should prioritize monitoring for unusual PowerShell executions and VBScript activity, especially in conjunction with scheduled task modifications, as these are key indicators of BusySnake’s persistence mechanisms. Organizations must ensure strict patch management for Windows shortcut vulnerabilities and implement application whitelisting to prevent unauthorized execution of downloaded payloads from sources like GitHub. Additionally, behavioral detection models should be tuned to identify the unique dynamic decryption patterns and C2 communication structures associated with modern Python-based infostealers.

TL;DR

  • 新威胁组织Armored Likho针对俄罗斯、巴西和哈萨克斯坦的政府及电力部门发动网络间谍活动,兼具金融盗窃动机。
  • 该组织使用新型Python信息窃取工具BusySnake Stealer,具备动态解密字节码、绕过动态分析及持久化驻留能力。
  • 攻击链始于利用CVE-2025-9491漏洞或钓鱼邮件分发载荷,并通过Go2Tunnel建立反向SSH隧道以维持C2通信。
  • Armored Likho可能与BI.ZONE追踪的Eagle Werewolf组织存在重叠,两者在基础设施、持久化机制及C2通信模式上高度相似。

为什么值得看

本文揭示了针对关键基础设施和政府机构的复杂APT攻击手法,特别是结合了零日/近零日漏洞利用与自研恶意软件的技术细节。对于安全从业者而言,深入理解BusySnake的动态混淆技术和Go2Tunnel隧道工具的使用,有助于优化检测规则并提升对类似高级持续性威胁的防御能力。

技术解析

  • 恶意软件架构与混淆:BusySnake Stealer采用PYW扩展名后台运行,通过“调用时动态解密、执行后立即重新加密”的字节码处理机制规避静态分析和沙箱检测。新版本引入了任务管理框架,支持SCHEDULED、IN_PROGRESS等状态报告,提升了C2通信的效率。
  • 攻击向量与初始访问:主要利用CVE-2025-9491(Windows快捷方式远程代码执行漏洞)或社会工程学钓鱼邮件(伪装成政府通知)。初始载荷为RAR压缩包内的EXE或LNK文件,通过VBScript擦除执行痕迹并利用计划任务实现持久化。
  • 数据窃取与横向移动功能:具备剪贴板监控、文件枚举、截图、键盘记录、加密货币钱包提取及浏览器Cookie/密码窃取功能。支持通过Go2Tunnel建立反向SSH隧道连接C2服务器,并可远程安装RustDesk进行屏幕捕获和凭证窃取。
  • 关联分析:Kaspersky指出Armored Likho与Eagle Werewolf在AquilaRAT和BusyStealer的C2通信端点、计划任务持久化方式及模块加载逻辑上存在显著重叠,暗示两者可能共享基础设施或开发资源。

行业启示

  • 强化终端检测与响应(EDR):鉴于恶意软件采用动态解密和反沙箱技术,传统基于签名的检测已失效,需部署行为监控和启发式分析以识别异常的系统调用和内存操作。
  • 关注供应链与第三方组件风险:攻击者利用GitHub托管载荷及利用常见软件(如RustDesk、Telegram)进行渗透,企业应严格审查第三方工具的来源,并限制其网络外联权限。
  • 加强关键基础设施防护:针对政府和电力部门的定向攻击表明,此类实体是高价值目标。需定期修补已知漏洞(如CVE-2025-9491),并对员工进行针对性的反钓鱼培训,同时监控异常的网络隧道流量。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究