APT trends report Q1 2020
#1
Bug 
Quote:APT trends report Q1 2020

Contents For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

Given the exceptional situation the world is living in because of the COVID-19 pandemia, it is mandatory we to start with a summary of how APT groups have been abusing this topic for different types of attacks.

COVID-19 APT activity

Since the World Health Organization (WHO) declared the COVID-19 a pandemic, this topic has received increased attention from different attackers. Many of the phishing scams we’ve seen have been launched by cybercriminals trying to cash-in on people’s fears about the virus.  However, the list of attackers also includes APT threat actors such as Kimsuky, APT27, Lazarus or ViciousPanda who, according to OSINT, have used COVID-19-themed lures to target their victims. We recently discovered a suspicious infrastructure that could have been used to target health and humanitarian organizations, including the WHO. Even though the infrastructure cannot be attributed to any particular actor at the moment, and was registered before the COVID-19 crisis in June 2019, according to some private sources it might be related to the DarkHotel actor. However, we cannot confirm this information at the moment. Interestingly, some groups have used the current situation to try to soften their reputation by declaring that they would not target health organizations during the crisis.

There are different publications reporting activity related to other APT actors using this lure, but in general, we do not believe this implies a meaningful change in terms of TTPs other than using a trendy topic for luring victims. We are closely monitoring the situation.

The most remarkable findings

In January 2020, we discovered a watering-hole utilizing a full remote iOS exploit chain. This site appears to have been designed to target users in Hong Kong, based on the content of the landing page. While the exploits currently being used are known, the actor responsible is actively modifying the exploit kit to target more iOS versions and devices. We observed the latest modifications on February 7. The project is broader than we initially thought, supporting an Android implant, and probably supporting implants for Windows, Linux, and MacOS. For the time being, we are calling this APT group TwoSail Junk. We believe this is a Chinese-speaking group; it maintains infrastructure mostly within Hong Kong, along with a couple of hosts located in Singapore and Shanghai. TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads ofтtheir own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

Russian-speaking activity

In January, a couple of recently compiled SPLM/XAgent modules were detected in an Eastern European telecoms company. The initial point of entry is unknown, as is their lateral movement within this organization. It has become rare to identify SPLM infections, compared to past levels of Sofacy activity, so it seems that portions of this network may have been infected for some time. In addition to these SPLM modules, Sofacy also deployed .NET XTUNNEL variants and their loaders. These 20KB XTUNNEL samples themselves seem minimal in comparison to past XTUNNEL samples, which weighed in at 1-2MB. This shift to C# by the long-standing Sofacy XTunnel codebase reminds us of Zebrocy’s practice of re-coding and innovating long-used modules in multiple languages.

Gamaredon, a well-known APT group that has been active since at least 2013, has traditionally focused on Ukrainian entities. In recent months we have observed a campaign, made up of different waves, that has also been reported by multiple researchers on different social networks. The attackers sent malicious documents with remote template injection, resulting in a multi-level infection scheme to deploy a malicious loader that periodically contacts a remote C2 to download additional samples. Based on past research, we know that the Gamaredon’s toolkit includes many different malware artefacts, developed to achieve different goals. These include scanning drives for specific system files, capturing screenshots, executing remote commands, downloading additional files and managing the remote machine with programs such as UltraVNC. In this case, we observed an interesting new second stage payload that includes spreading capabilities, that we call “Aversome infector”. This malware seems to have been developed to maintain a strong persistence in the target network and to move laterally by infecting Microsoft Word and Excel documents on external drives.

Chinese-speaking activity

CactusPete is a Chinese-speaking cyber-espionage group active since at least 2012 characterized by medium-level technical capabilities. Historically, this threat actor has targeted organizations within a limited range of countries – South Korea, Japan, the US and Taiwan. At the end of 2019 the group seemed to shift towards a heavier focus on Mongolian and Russian organizations. CactusPete offensive activity against the Russian defense industry and Mongolian government appears to be mostly delineated from its Russian-Mongolian commercial and border relationships. However, one bait exploit document dropping its Flapjack backdoor (tmplogon.exe, primarily focused on new Russian targets) is authored in Mongolian. The group’s broadening of techniques, exploit re-purposing, targeting shift and possible expansion suggests changes in the group’s resources and operations.

Rancor is a group that has been publicly reported since 2018, with connections to DragonOK. This actor traditionally had a focus on Southeast Asian targets, namely Cambodia, Vietnam and Singapore. We noted several updates to the group’s activity in the last few months, namely the discovery of a new variant of the Dudell malware that we are calling ExDudell, a new tool for bypassing UAC (User Account Control), and new infrastructure utilized in the attacks. Apart from this, we have also identified that the initial lure documents that were previously sent via mail, are now found in the Telegram Desktop directory, suggesting the group is possibly making a shift in its initial delivery method.

In 2019, we detected activity by an unknown actor at the time deploying watering holes on websites representing Tibetan interests, fooling victims into installing fake Adobe Flash updates hosted on a GitHub repository. Kaspersky thwarted the attack by coordinating a takedown of this repository with GitHub. After a brief period of inactivity, we detected a new round of watering holes featuring a renewed toolset. We decided to call the group behind this activity Holy Water.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

Middle East

We recently detected a new, ongoing data exfiltration campaign targeting victims in Turkey that started in February 2020. While StrongPity’s TTPs in terms of targeting, infrastructure and infection vector haven’t changed, we observed a somewhat peculiar change in the documents they attempt to exfiltrate. In this campaign, StrongPity updated its latest signature backdoor, named StrongPity2, and added more files to exfiltrate to its list of common Office and PDF documents, including Dagesh Pro Word Processor files used for Hebrew dotting, RiverCAD files used for river flow and bridge modelling, plain-text files, archives as well as GPG encrypted files and PGP keys.

In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware.

In late December 2019, Kaspersky Threat Attribution Engine detected a new variant of the Zerocleare wiper that had possibly been used in targeted attacks on energy sector targets in Saudi Arabia. This quarter, we identified a new variant of this wiper, called Dustman. It is similar to Zerocleare in terms of wiping and distribution, but changes in variables and technical names suggest this might have been in readiness for a new wave of attacks specifically targeting Saudi Arabia’s energy sector, based on messages embedded in the malware and the mutex created by it. The PDB file of the Dustman wiper suggested that this destructive code was the release edition and was ready for deployment in a target network. These changes coincided with the New Year holidays, during which many employees take time off to celebrate. Shamoon was delivered with similar timing in 2012 during Ramadan celebrations.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07
AirVPN Christmas Sale 2024!
AirVPN CHRISTMAS SAL...jasonX — 07:52
ON1 Software
ON1 Photo RAW 2025.1...jasonX — 06:29
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>