QiAnXin Threat Intelligence Center reports a campaign distributing various information stealers, including Redline, LummaC2, and Amadey, via a Russian-language trojanized version of 7z on the Microsoft Store. The threat has been ongoing since at least January 2023.
According to the QiAnXin Threat Intelligence Center report, it remains unclear how the attacker successfully uploaded the trojanized application onto the Microsoft Store.
The following attack chain includes:
Download of the malicious 7s-soft.exe Russian version;
The malicious file is responsible for installing a Java virtual machine (JVM), which provides evasion capability for the subsequent infection;
The JVM is used to compile malicious code that initiates communication with the command-and-control (C2) server, leading to the download of a second-stage malware consistent with the information stealers reported above.
Payloads were stored on WordPress sites redirecting to attacker-controlled resources, a technique which QiAnXin attributes to Russian-speaking actors. However, the primary vector being a Russian language application may suggest Russian language users were in fact the primary target of the supply chain poisoning attack. In contrast with this hypothesis, QiAnXin researchers found the majority of downloads occurred in Asia and particularly China; however, that may be due to the analytical focus of the research they carried out.
According to the same report, registration records for the domains used for the campaign resolve to registrants based in Russia and Ukraine.