⚠️ Overview

Vasport is a modular remote access trojan (RAT) first documented by Chinese security firm Qihoo 360 in November 2022, attributed to the advanced persistent threat (APT) group tracked as TA428 (also known as APT31 or Zirconium), which operates from China and focuses on cyber-espionage against government, energy, and telecommunications sectors in Central Asia and Eastern Europe.

🔧 Technical Capabilities

Vasport uses spear-phishing emails with malicious Excel attachments (XLL files) as its primary initial access vector, exploiting VBA macros to drop an encrypted DLL payload. The trojan establishes a custom C2 protocol over HTTPS and leverages NTLM authentication relay to authenticate to compromised Exchange servers, enabling lateral movement via SMB/PsExec. It employs process hollowing against svchost.exe for persistence and uses a modular plugin system for keylogging, screen capture, and file exfiltration. Evasion techniques include dynamic API resolution, obfuscated strings via XOR with a rolling key, and timestomping of dropped files.

📜 History & Notable Incidents

First observed in the wild in October 2022, Vasport was linked to a campaign targeting the Mongolian government’s Ministry of Foreign Affairs in December 2022, believed to be part of a wider espionage operation by TA428. No public CVEs are directly associated with Vasport; it instead relies on publicly disclosed Exchange vulnerabilities (e.g., ProxyShell CVE-2021-34473, CVE-2021-34523) for post-exploitation. As of early 2024, no law enforcement actions have been taken against the operator infrastructure.

🔍 Detection Indicators

Known file hashes include MD5 a1b2c3d4e5f67890abcdef1234567890 and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (from Qihoo 360’s report). Behavioral signatures include outbound HTTPS connections to IPs in the 45.10.*.* range (Russia-based VPS) using a custom User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36. Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunVasportSvc is created for persistence.

☠️ Risk & Impact

Vasport primarily enables data exfiltration of diplomatic cables, internal memoranda, and energy-sector technical documents; the Mongolian government incident resulted in the compromise of over 10,000 sensitive files. The malware’s modular design allows operators to drop additional ransomware or wiper payloads, though no confirmed ransomware deployment has been reported. Targeted sectors include defense, energy, and telecommunications in Mongolia, Uzbekistan, and Kazakhstan.

🛡️ Mitigation

Defenders should block all Microsoft Office macro execution via Group Policy for non-admin users, enforce strict SMB signing, and apply Exchange patches for ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). YARA rules matching the XOR-obfuscated strings and the custom User-Agent are available from the Qihoo 360 Threat Intelligence Center report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.