In all cases, the attackers resorted to email distributions. The emails, disguised as messages from potential clients, contained fake inquiries about current mobile tariffs. Opening the attachment led to an image requesting the activation of macros, after which the victim would see a fraudulent tariff plan while malware was being installed.
Experts determined that the downloaded backdoor, named LuciDoor, is written in C++ and can connect not only directly to command servers but also through proxy servers. Its functionality includes collecting data about the infected device and exfiltrating information.
New attacks on Kyrgyzstan's telecommunications were detected in November, with the attackers modifying the bait document but making a similar mistake: it contained an incorrect recipient's name. This time, the hackers used the MarsSnake backdoor, which had previously been observed in espionage attacks in Saudi Arabia.
A feature of MarsSnake is its ease of configuration: changes can be made through updating the loader parameters, eliminating the need to rebuild the executable file. After the backdoor is installed, it begins to collect system data and sends a unique identifier to the command server.
As noted by PT ESC TI expert Alexander Badaev, in last year's attacks, the malicious documents were in Russian, but the settings included Arabic, English, and Chinese languages. Some files contained a field indicating the use of the Chinese language, which may suggest that the attackers had a Microsoft Office package with the corresponding settings.
In the January attacks on Tajikistan, instead of malicious attachments, links were used, and the text was presented in English. The targeted malware was again LuciDoor, but in a different configuration.
