Quote:SAS@Home 2020 – A series of highly targeted attacks by an APT group called MontysThree against industrial targets has been uncovered, with evidence that the campaign dates back to 2018.
That’s according to researchers from Kaspersky, who noted that the group uses a variety of techniques to evade detection, including using public cloud services for command-and-control (C2) communications, and hiding its main malicious espionage module using steganography.
Spy attacks on industrial holdings are far more unusual than campaigns against diplomats and other nation-state targets, according to the firm.
“Government entities, diplomats and telecom operators tend to be the preferred target for APTs, since these individuals and institutions naturally possess a wealth of highly confidential and politically sensitive information,” according to a Kaspersky analysis, issued on Thursday in tandem with its virtual Security Analyst Summit conference, SAS@Home. “Far more rare are targeted espionage campaigns against industrial entities—but, like any other attacks against industries, they can have devastating consequences for the business.”
The APT uses a toolset that it calls MT3, which consists of separate modules. The first—the loader—is initially spread using RAR self-extracted (SFX) archives. These, delivered via email, contain savvy lures related to employees’ contact lists, technical documentation and medical analysis, to trick industrial employees into downloading the files.
The loader obfuscates itself using steganography, which is the practice of hiding electronic information inside images.
“Steganography is used by actors to hide the fact that data is being exchanged,” according to Kaspersky. “In the case of MontysThree, the main malicious payload is disguised as a bitmap file. If the right command is inputted, the loader will use a custom-made algorithm to decrypt the content from the pixel array and run the malicious payload.”
Read more: https://threatpost.com/montysthree-apt-i...ts/159957/
![[-]](https://www.geeks.fyi/images/collapse.png)
