This report included technical details of malware used in the campaign, such as Ecipekac, SodaMaster, P8RAT, FYAnti and QuasarRAT. Chinese-speaking activityĪt the beginning of 2021, Kaspersky published a private report about the A41APT campaign. We are still unable to identify any significant link between HotCousin and Dark Halo/NOBELIUM or The Dukes/APT29 but the targets, techniques and tradecraft all coincide with activities that are publicly described as APT29. In most cases, the targets appear to be diplomatic and government organizations in Europe. Some of these activities were also observed by other vendors, notably with descriptions of downloaders that obtain additional implants from external services such as Dropbox, Google Drive and Trello. The final payload is typically a commercially available implant such as Cobalt Strike. The first infection usually aims to install a downloader, which attempts to download other malicious implants from legitimate web services. The victims are targeted with spear-phishing emails that trick them into mounting a malicious ISO file and double-clicking an LNK, which starts the infection chain. The group’s TTPs remained consistent with those we described before. Our recent investigations show that this year, from February at least, HotCousin has attempted to compromise foreign affairs ministries in Europe, Asia, Africa and South America. We first documented the threat actor HotCousin in 2021 as a cluster of malicious activities leveraging the EnvyScout implant, publicly attributed to Dark Halo (NOBELIUM) by Microsoft. We will also highlight new victimology, including various targets across Europe. In our report that will be published in November, we will analyze this latest set of samples in detail, describing the changes and the packing mechanisms. In March, we detected new DTrack samples packed in a different way and with relatively few changes in the code. We have reported it several times in the past and also more recently, as it plays an important role in Lazarus’s activity. The backdoor has been used in a variety of attacks, including ransomware attacks and espionage campaigns. You can read our public report on Andariel’s use of DTrack and Maui here.ĭTrack is a backdoor used by subsets of the Lazarus group. This and other data points should help solidify attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly) with low-to-medium confidence. No useful information is provided in the CISA report attributing the ransomware to a North Korean actor, but we found that approximately 10 hours prior to deploying Maui to the system the group also deployed a variant of DTrack to the system. Since the malware in this incident was compiled on April 15, 2021, and compilation dates are the same for all known samples, this incident is likely to be the first involving Maui ransomware. We can confirm a Maui ransomware incident in 2022, but we would expand their “first seen” date from the reported May 2021 to April 15, 2021, and the geolocation of the target to Japan and India. On July 7, CISA issued an alert, “ North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector“, based on a Stairwell report about Maui ransomware. Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact most remarkable findings This is our latest installment, focusing on activities that we observed during Q3 2022. They are designed to highlight the significant events and findings that we feel people should be aware of. These summaries are based on our threat intelligence research and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |