Logtu Malware Used in Attacks on Eastern European Entities
Security researchers published a report on a series of cyber attacks targeting military industrial entities located in Eastern Europe and Afghanistan. The attacks took place back in January 2022 and are linked to a Chinese threat actor going by the designator TA428.
The cyber attacks were targeting military industrial plants and research facilities located in Russia, Belarus, Ukraine and Afghanistan. The attacks employed several different malicious tools, one of which was called Logtu by the research team.
The malware is a multi-purpose tool that is deployed similarly to other backdoor tools used by TA428. The latest versions of Logtu use dynamic imports and employ XOR encryption for its function names to make detection more difficult.
While other backdoor tools attributed to TA428 use process hollowing of a system process, Logtu is deployed using the same method but hijacking and hollowing a process belonging to some other legitimate application running on the system, loading a malicious library into it.
The Logtu malware supports a wide range of commands that include checking uptime, deleting files, writing data to files, taking screenshots and both launching and terminating processes.