APT trends report Q1 2019

[harlan4096]

For just under two years, the Global Research and Analysis Team (GReAT) at Kaspersky Lab has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2019.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com’.

The most remarkable finding

Targeting supply-chains has proved very successful for attackers in recent years – ShadowPad, CCleaner and ExPetr are good examples. In our threat predictions for 2019, we flagged this as a likely continuing attack vector; and we didn’t have to wait very long to see this prediction come true. In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, the mechanism used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers behind “Operation ShadowHammer” added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers were found to have hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist that target different MAC addresses.

Russian-speaking activity

Russian-speaking groups were not especially active during the first part of the year, with no noteworthy technical or operational changes. However, they continued their non-stop activity in terms of spreading, with a special interest in political activity.

This was apparent in an attack focused on the Ukraine elections. The attack surfaced after we discovered a malicious Word document targeting a German political advisory organization. This organization, according to its website, “advises political decision-makers on international politics and foreign and security policy”. Our technical analysis of the attack suggests that the Sofacy or Hades groups are behind it, though we’re unable to say for sure which of these groups is responsible.

Such political interests are not new. Recently, a court in Virginia gave Microsoft control of a group of websites that were intended to look like login sites for a Washington think tank, but are believed to be part of the infrastructure of a “Russian group suspected in the DNC hack”.

Additionally, Microsoft revealed that a “Russian nation-state hacking group” targeted political organizations engaged in the 2019 European Parliament elections scheduled for the end of May.

On the technical side, since mid-January we have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan. This time the actor delivered its known KopiLuwak JavaScript using new .NET malware, called “Topinambour” (aka Sunchoke) by its developers. The Topinambour dropper is delivered along with legitimate software and consists of a tiny .NET shell that waits for Windows shell commands from operators. Interestingly, in this campaign the attackers used different artefacts implemented in JavaScript, .NET and PowerShell – all of them with similar functionality.

We also published details on how Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled, open source language. Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East.

Finally, during February 2019 we observed a highly targeted attack in Crimea using a previously unknown malware. The spy program was spread by email and masqueraded as the VPN-client of a well-known Russian security company that, among other things, provides solutions to protect networks. At this point we can’t relate this activity to any known actor.

Chinese-speaking activity

Recent APT trend summaries included analyses of new Chinese-speaking threat actors as well as the resurgence of old activity sets. This has continued into 2019.

In the early months of 2019, Chinese-speaking actors were the most active, with a traditional interest in targeting different countries in South East Asia. A recent indictment of two Chinese nationals by the US Department of Justice on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft, alleged that they were members of the APT10 group, carrying out illegal activity on behalf of the Chinese Ministry of State Security.

Similarly, CactusPete (aka LoneRanger, Karma Panda, and Tonto Team), is reported to have targeted South Korean, Japanese, US, and Taiwanese organizations in the 2012 – 2014 timeframe. The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since 2018. The group spear-phishes its targets, deploys Word and Equation Editor exploits and an appropriated/repackaged DarkHotel VBScript zero-day, delivers modified and compiled unique Mimikatz variants, GSEC and WCE credential stealers, a keylogger, various Escalation of Privilege exploits, various older utilities and an updated set of backdoors, and what appear to be new variants of custom downloader and backdoor modules.

We have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We attribute the campaign, which we call “SpoiledLegacy”, to the LuckyMouse APT group (aka EmissaryPanda and APT27). The operators use penetration testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network services vulnerabilities as their main initial infection vector, we have also seen spear-phishing messages containing decoy documents. We believe that, as in a previous LuckyMouse campaign internal database servers are among the targets. For the last stage of their attack they use different in-memory 32- and 64-bit Trojans injected into system process memory. It is worth highlighting that all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code.

FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope, Leviathan and TEMP.Jumper. According to FireEye, the group has conducted operations in support of China’s naval modernisation effort since at least 2013, specifically targeting engineering, transportation and defence industries, especially where these sectors overlap with maritime technologies. Recently, FireEye also observed specific targeting of countries strategically important to the “Belt and Road” Initiative, including Cambodia, Belgium, Germany, Hong Kong, the Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States and the United Kingdom.

Interestingly, the use of newer ANEL versions by APT10, targeting Japan, allowed us to find similarities between this malware and Emdivi, malware previously used by BlueTermite. This suggests a potential connection between both actors.

Continue Reading