APT Groups Finding Success with Mix of Old and New Tools

  • The APT risk landscape is a mixed bag of tried out-and-real methods and cutting-edge methods, mainly supercharged by geo-politics, a report finds.

    Advanced persistent threat (APT) teams carry on to use the fog of intensive geopolitics to supercharge their campaigns, but over and above these themes, actors are creating specific signature ways for results.

    That’s in accordance to Kaspersky’s most latest APT developments report for Q3 2020, which discovered that some teams are innovating and pushing complex boundaries, whilst other folks just take a more lower-tech approach, honing messaging around COVID, the elections and other headlines.

    “While some menace actors stay steady more than time and simply just appear to use hot subject areas these as COVID-19 to entice victims to download malicious attachments, other teams reinvent by themselves and their toolsets,” reported Ariel Jungheit, senior security researcher at the Global Investigate and Investigation Crew at Kaspersky. “The widening scope of platforms attacked, steady do the job on new infection chains and the use of respectable expert services as element of their attack infrastructure, is a little something we have witnessed more than the previous quarter.”

    These divergent techniques were very best represented by two groups in particular, in accordance to the report DeathStalker and MosaicRegressor.


    DeathStalker, the report reported, has been prosperous working with the identical strategies given that 2018 to focus on regulation companies and firms in the monetary sector.

    “The group’s curiosity in accumulating sensitive small business information and facts prospects us to consider that DeathStalker is a team of mercenaries featuring hacking-for-use services or acting as an information broker in financial circles,” according to the report. “The routines of this risk actor initial came to our focus as a result of a PowerShell-based implant identified as Powersing.”

    But while this solution is targeted extra on messaging about headlines for phishing emails, the report added that a pair of technical developments to DeathStalker’s strategies are value very little.

    “For occasion, the malware instantly connects to a command-and-handle (C2) server utilizing an embedded IP tackle or area name, as opposed to past variants where it made use of at least two dead-drop resolvers (DDRs) or web services, these as message boards and code-sharing platforms, to fetch the real C2 IP handle or domain,” the report defined. “Interestingly, for this marketing campaign the attackers did not restrict them selves basically to sending spear-phishing email messages but actively engaged victims by way of a number of email messages, persuading them to open up the decoy, to maximize the likelihood of compromise.”

    Researchers included this was the first time they observed a malicious actor both equally making use of sophisticated approaches to bypass security, as properly as “dropping PE binaries to load EvilNum.”

    The Kaspersky group also famous they suspect DeathStalker is applying a novel PowerShell implant they named “PowerPepper.”

    “The shipping and delivery workflow works by using a Microsoft Term doc and drops a beforehand unidentified PowerShell implant that depends on DNS more than HTTPS (DoH) as a C2 channel,” the report stated.

    DeathStalker represents a reasonably essential, low-tech set of procedures, techniques and procedures (TTPs) — though MosaicRegressor’s UEFI implant occupies the higher-tech stop of the APT spectrum.


    In early Oct Kasperky researchers described the discovery of “rogue UEFI firmware images,” modified to provide malware, which the crew dubbed “MosaicRegressor” as element of a broader framework. Factors of the MosaicRegressor framework was section of attacks released against diplomats and African, Asian and European Non-Govt Organizations and traced again to North Korea.

    UEFI is a specification that constitutes the construction and operation of reduced-stage system firmware, which includes the loading of the functioning program by itself. It can also be employed when the OS is previously up and managing, for instance in purchase to update the firmware. The UEFI firmware bootkit that is section of MosaicRegressor masses the operating procedure by itself, which means a threat actor can modify the system to load malware that will run right after the OS is loaded. Hence, it will be resistant to reinstalling the functioning procedure or even changing the tough drive, scientists reported.

    The report included that APT assaults have spiked in modern weeks in Southeast Asia, the Middle East and “various locations influenced by the actions of Chinese-talking APT teams.”

    “Overall, what this usually means for cybersecurity professionals is this: defenders need to make investments assets in hunting destructive action in new, potentially legitimate environments that have been scrutinized considerably less in the earlier,” Jungheit concluded. “That features malware that is composed in lesser-recognised programming languages, as well as through genuine cloud providers. Tracking actors’ routines and TTPs makes it possible for us to comply with as they adapt new approaches and resources, and therefore prepare ourselves to react to new assaults in time.”

    Hackers Put Bullseye on Health care: On Nov. 18 at 2 p.m. EDT find out why hospitals are acquiring hammered by ransomware assaults in 2020. Save your location for this Absolutely free webinar on health care cybersecurity priorities and listen to from major security voices on how data security, ransomware and patching need to have to be a precedence for every single sector, and why. Be a part of us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, constrained-engagement webinar.