UnsolicitedBooker targets telecoms in Central Asia with new backdoors

The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities, based on information published by The Hacker News.

UnsolicitedBooker, a China-aligned threat actor active since at least March 2023, has deployed two distinct backdoors, LuciDoor and MarsSnake, in recent cyberattacks. Initial targets included Saudi Arabian organizations, but recent activity has focused on telecommunications companies in Kyrgyzstan and Tajikistan. Attacks typically begin with phishing emails containing malicious Microsoft Office documents. When opened, these documents trigger macros that deploy malware loaders like LuciLoad or MarsSnakeLoader, which then deliver the respective backdoors.

LuciDoor and MarsSnake are capable of collecting system information, executing arbitrary commands, and exfiltrating data. The group has also been observed using rare Chinese-origin tools and has shown tactical overlaps with other clusters like Space Pirates. In some instances, attackers have used compromised routers as command-and-control servers.

Source: The Hacker News