A new .NET backdoor, dubbed STOCKSTAY, has been attributed to the Russian state-sponsored threat actor Turla, according to the Google Threat Intelligence Group. This sophisticated cyber espionage tool has been deployed against government and military organizations in Ukraine, as well as entities with interests in Italian foreign policy, according to a recent report by The Hacker News.STOCKSTAY, written in .NET and utilizing the Windows Forms framework, communicates with its command-and-control (C2) server via a secure WebSocket connection. It shares significant code and functional overlaps with Kazuar, a backdoor previously used by Turla since 2017. The malware is multi-component, with distinct modules like STOCKSTAY.STOCKBROKER for tunneling and STOCKSTAY.STOCKTRADER for information gathering, all orchestrated by STOCKSTAY.STOCKMARKET.Initial infection vectors have included phishing emails with malicious RDP files and RAR archives exploiting WinRAR vulnerabilities. Turla has used STOCKSTAY both for initial access and during post-exploitation phases, sometimes alongside Kazuar, suggesting potential testing of new capabilities or a transition from older tools. The targeting of Ukrainian and Italian entities highlights the ongoing cyber espionage efforts by the group.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds