An advanced persistent threat that Russia found inside government systems was too crude to have been the work of a Western nation, says security researcher Juan Andrés Guerrero-Saade of Sentinel Labs, before suggesting the malware came from a Chinese entity.

Russian telco and IT services provider Rostelecom and the nation’s National Coordination Center for Computer Incidents, an arm of the Russian Federal Security Service (FSB), in May published a joint report that detailed their assessment of attacks on several Russian government entities detected in 2020.

The report said the attacks were made using malware named “Mail-O” and asserted that attackers used cloud storage services provided by Russian companies Yandex and Group. The malware mimicked legitimate cloud storage management apps Disk-O and Yandex Disk.

Guerrero-Saade wrote that he feels the security industry has quickly defaulted to a view that Western actors were behind the attacks.

“I think we’ll be relieved to find out that was most likely not the case – if solely because we’ve come to expect a higher standard for Western malware development,” he wrote.

Guerrero-Saade reached that opinion after assessing samples of Mail-O and suggesting it is “a variant of a relatively well-known malware called PhantomNet or SManager used by a threat actor ‘TA428’.”

The researched makes that assertion because Mail-O, PhantomNet and SManager all share a function called “Entery” that he supposes is a misspelling of “Entry”.

“Misspellings are a true gift for malware researchers,” Guerrero-Saade wrote.

TA428, he added, has a history of attacking Russian and south-east Asian targets and is credibly assessed as having Chinese origins.

“These presumably Chinese clusters of activity are confusing and difficult to disentangle,” he admitted. “Tooling is likely shared among multiple threat actors (likely including PhantomNet/SManager), and what’s being referred to as ‘TA428’ is probably an amalgam of multiple threat groups.”

Wherever it came from, Mail-0 is nasty. The software “acts as a downloader with a thin veneer of similarity to the legitimate Disk-O software” and disguises itself using a legitimate Disk-O version number. Once it infects a machine, the malware downloads a payload and creates the “Entery” function, then downloads a third piece of software that the Russian report claims attempts to subvert email accounts and exfiltrate documents. ®