APT trends report Q2 2023
For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2023.
Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact [email protected].
The most remarkable findings
Early in June, we issued an early warning of a long-standing campaign that we track under the name Operation Triangulation, involving a previously unknown iOS malware platform distributed via zero-click iMessage exploits. Kaspersky employees were also affected by this threat. In addition to reaching out to industry partners to assess the prevalence of this threat, we provided a forensic methodology to help readers determine whether their organization is targeted by the unknown group behind these attacks. We subsequently published a utility to check for indicators of compromise (IoCs).
Following this, we released the first of a series of additional reports describing the final payload in the infection chain: a highly sophisticated spyware implant that we dubbed “TriangleDB”. Operating in memory, this implant periodically communicates with the C2 (command and control) infrastructure to receive commands. The implant allows attackers to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information, as well as execute additional modules, further extending their control over the compromised devices.
The Russo-Ukrainian conflict has ignited the movement of multiple factions around the world. Cyberattacks have spiked and various hacktivist groups have taken sides. Arising from the flames of this physical conflict, Killnet emerged as a group primarily focused on selling access to its stressor service. Driven by nationalist ideals and motivations, it swiftly gained prominence as one of the most influential hacktivist groups aligned with pro-Russian sentiments. Killnet, led by a person nicknamed “KillMilk”, is one of the leaders of the hacktivist movement that uses DDoS as a means of disruption. Backed by numerous allies and a growing fan base that provides support, Killnet has successfully targeted multiple entities affiliated with NATO or providing support to Ukraine in the ongoing conflict. Its recent attacks have extended to US healthcare organizations, while also leaking documents from various entities in an effort to cause both psychological and organizational repercussions among its adversaries. Our private report delved into the origins of Killnet: how it emerged; the tools of its trade; the communication channels it uses; its allies and adversaries and the groups it collaborates with; the monetary support that enables the group and its leader to sustain its activities; and the current and future direction of the group.
ToddyCat, a sophisticated threat actor, continues to operate in Asia, targeting government entities in Malaysia, Thailand and Pakistan. The group’s latest activities, from September 2022 until March 2023, involve a new set of custom loaders and its private post-exploitation tool “Ninja,” used to help it remain undetected. In the past year, ToddyCat has updated its toolset to avoid detection and reduce the number of targets. We now have better visibility into the group’s tactics, particularly in the areas of lateral movement, data collection and exfiltration. Additionally, ToddyCat has started using Cloudflare workers as C2 servers, aligning with a trend we’ve observed among other threat actors.
We also reported on ToddyCat Sylo, where the group introduced additional collection and exfiltration tools and used previously compromised user accounts with high privileges for lateral movement. Several tools were used to gather documents. The first, “LoFiSe”, packs files into a ZIP archive. The second is a PowerShell script that uses WinRAR to exfiltrate files. After collecting the data, archives with files were sent to OneDrive using another tool, “Pcexter”.
We’ve seen constant activity from the KelvinSecurity team over the past few years, dating back to 2015. The group has described itself as hacktivist and “grey hat” security oriented, and has sold and leaked databases, documents, and access belonging to entities worldwide. These attacks are occasionally motivated by activist factors or financial gain. In our private report, we presented an overview of previous and current attacks, the group’s objectives, and its methodologies. We explored the group’s infrastructure as a way of understanding how it shares its leaks, and provided insight into the group’s leadership and potential perpetrators.
We discovered a BlindEagle espionage campaign targeting government entities in Colombia, active since at least March of this year. BlindEagle has established a reputation for targeting institutions and corporations in South America, primarily engaging in cyber-espionage activities, while also engaging in financial information theft. In a recent report, we highlighted an incident where the threat actor utilized a modified version of the Quasar RAT, repurposing it as a banking Trojan to specifically target customers of financial entities in Colombia. However, in its latest campaign, BlindEagle has shifted its focus to another open-source RAT known as “njRAT”, with the primary objective of conducting espionage on its victims. Our analysis delved into BlindEagle’s most recent espionage campaign, covering the entire infection flow from the initial spear-phishing emails to the deployment of the njRAT implant.
We recently obtained JackalControl C2 communications from a campaign targeting government entities in Iran, active until early April 2023. The server response we gathered sheds light on the threat actor’s methodology for profiling victims, how it deploys and configures the JackalSteal component, and what types of files are deemed interesting. GoldenJackal, an APT group we discovered in 2020, primarily targets high-profile entities in the Middle East and South Asia. Over the years, we have closely monitored its activities and have published multiple reports detailing its TTPs and toolset.
Our monitoring activities also uncovered two new malware samples, named “JackalPerInfo” and “JackalScreenWatcher”, which we have linked to GoldenJackal and which we suspect have been part of their toolset since 2020. These tools are used in the post-exploitation stage of an attack, gathering screenshots and various files from an infected host. The samples were discovered on a system that was not protected by our products and scanned with our free Kaspersky Virus Removal Tool, which correctly detected and removed the threat. We believe that GoldenJackal targets only unprotected systems or systems without Kaspersky protection. Our report provided details on these new components, shedding further light on GoldenJackal’s toolset and TTPs.
On April 26, a third party publicly described BellaCiao (a malicious script dropper) and associated it with Charming Kitten (aka APT35). We retrieved several BellaCiao samples, including undocumented variants, and provided additional IoCs, as well as contextual information on related malicious activities and tools. The threat actor probably leveraged vulnerabilities on internet-facing servers to deploy BellaCiao. The operations date back to at least May 2022, and malicious infrastructure analysis indicates possible operations starting in 2021. While the threat actor has mostly deployed Plink to establish tunnels between malicious infrastructure and targeted servers, it also leveraged the open-source tool “bore”, written in Rust. We identified WatchMaster, a possibly related tool that attempts to dynamically delete ASP .NET files, except for some web shells on IIS servers. Our telemetry indicates that BellaCiao has been used against targets in Afghanistan, Austria, Israel and Turkey since at least November 2022. Additionally, the content of some samples suggests the implant was probably used to target organizations in Italy. The threat actor used BellaCiao to reach RDP servers and harvest credentials from compromised organizations.
In a previous report on the OilRig APT, we analyzed a targeted attack on an IT company in Jordan in August 2022, in a probable supply-chain attack on government institutions. That intrusion went silent in September 2022, and resurfaced with updated tools around November 2022, before going silent again. Recently we came across a new set of samples that resemble the previous intrusion in Jordan and with similar TTPs. However, this time we believe the infection took place at an IT company in the UAE. Our report highlighted the developments in the new intrusion to drop the initial loaders; and provided an assessment of what to expect from such intrusions in the near future.
Southeast Asia and Korean Peninsula
In early September 2022, our team discovered several malware detections from the MATA cluster, previously attributed to the Lazarus group, targeting defense contractors in Eastern Europe. This campaign remained active until March 2023. Expanding the scope of our research, we investigated and discovered additional new, active campaigns with full infection chains, including an implant designed to work in air-gapped networks via USB sticks, as well as a Linux MATA backdoor. The new, updated MATA malware was distributed using spear-phishing techniques, with the attackers deploying their malware in multiple stages using validators. The threat actor also abused various security and anti-malware solutions used by the victims. The new MATA orchestrator introduced several modifications to its encryption, configuration and communication protocols and appears to have been rewritten from scratch. The next generation of MATA includes new functionality to circumvent network restrictions, allowing the actor to build complex proxy chains within the victims’ network, and to create a ‘stack’ of various communication protocols to be used for C2 communications.
We also discovered a new variant, MATAv5. This sophisticated malware, completely rewritten from scratch, exhibits an advanced and complex architecture that makes use of loadable and embedded modules and plugins. MATAv5 is capable of functioning as both a service and a DLL within different processes. The malware leverages Inter-Process Communication (IPC) channels internally and employs a diverse range of commands, enabling it to establish proxy chains across various protocols, including within the victim’s environment. While MATAv5 has undergone substantial evolution, and shares minimal code with its predecessors, there are still similarities in terms of protocols, commands, and plugin structures. These similarities suggest a consistent approach to functionality across different generations of the malware.
We have been tracking an unknown malware cluster, dubbed “ScoutEngine”. Initially, we found no similarities with known malware or threat actors. However, upon closer inspection of the entire malware, we discovered that this malware has been in continuous development since 2020. ScoutEngine has several numbered versions from 2.1 to 2.3. Each version has a different infection scheme, and the malware author has updated the method for retrieving the next stage payload and configuration data, decryption key, and C2 communication formats as the versions have evolved. ScoutEngine’s objective is to fetch additional payloads based on the attacker’s commands and execute them in memory. Unfortunately, we are currently unable to determine the final payload. Ultimately, we were able to confidently conclude that the Lazarus group is responsible for the ScoutEngine cluster. Its components and configurations closely resemble those of Lazarus malware: in particular, ScoutEngine employs an unusual method, previously observed in the CookieTime malware, to generate a registry path and acquire configuration data.
On March 29, CrowdStrike issued an alert about a supply-chain attack affecting the popular 3CXDesktopApp VoIP software. In their report, they tentatively attributed the ongoing attack to Lazarus. While investigating campaigns related to the 3CX attack, we uncovered evidence of another supply-chain attack targeting the X_TRADING software developed by Trading Technologies. This attack has been ongoing since late 2021 and shares similarities with the 3CX campaign. We notified Trading Technologies of the compromise of its web service assets on March 31 this year, and included guidance on how to handle the situation. Furthermore, we discovered that the actor behind the 3CX attack, which we also believe to be Lazarus with medium-high confidence, is using a backdoor that we have named Gopuram‘ to target selected victims of the 3CX intrusion. Our analysis of Gopuram dates back to 2020 when we first encountered it on compromised systems alongside the AppleJeus malware known to be associated with Lazarus.
We discovered a recent BlueNoroff campaign that implements new malware delivery methods using Trojanized PDF readers, targeting both Windows and macOS systems using the same infection method. It appears that the actor distributed the Trojanized PDF reader along with a specially crafted PDF file. The malware is designed to execute only when the victim opens the malicious PDF file. Once opened, the PDF reader retrieves the offset of the decoy PDF document and the C2 URL from the PDF file. Our research has shown that the decoy documents used in this attack are related to venture capital and investigative reports from government agencies. Once the malware successfully retrieves this information, it sends the victim’s data to the remote server and initiates the execution of additional payloads delivered from the attacker’s servers. This is the first time thay BlueNoroff group has implemented macOS malware. Moreover, the group utilized compiled AppleScript during the initial stage of the attack, while the malware retrieved by the Trojanized PDF reader was created using the Rust programming language. This is the first time the BlueNoroff group has used Rust for its malware. As the target environment is diverse, the BlueNoroff group has employed additional programming languages and methodologies to efficiently deliver its malware.
The Asia-Pacific region has been a hotspot for cyberattacks by various threat actors for the past couple of years. Among the many APT actors active in this region, a number of them focus on Pakistani victims. We recently discovered a cluster of activity in this region focusing on a similar victim profile. We published two private reports on this threat actor, which we have named “Mysterious Elephant”. The first report highlighted the primary TTPs used by this threat actor over the past few years. Some of the tools used by Mysterious Elephant exhibit similarities with older tools that were previously employed by other threat actors in the region. For instance, earlier versions of the Rover backdoor, analyzed in our report, were used by SideWinder and Confucius. The second report focused on the analysis of a campaign targeting a number of victims associated with Pakistan’s foreign affairs. The primary malware utilized in this campaign is a new backdoor family that is dropped onto victims’ machines through a malicious RTF document that exploits the CVE-2017-11882 vulnerability. This document is downloaded via another spear-phishing document that serves as a remote template. The backdoor module establishes communication with its C2 server using Remote Procedure Call (RPC) and has the ability to execute files or commands on the victim’s machine, as well as receive files or commands from the C2 server for execution on the infected computer.
With Microsoft disabling macro-embedded Office documents, threat actors began adopting new malware delivery methods, among them the ScarCruft group, which swiftly changed its initial infection tactics. The group operates two clusters named “Chinotto” and “RokRat”. While they have historically relied heavily on macro-embedded Word documents, they have continuously adopted other file formats, such as compiled HTML (.CHM) and Windows shortcut (.LNK) files. Furthermore, to evade Mark-of-the-Web (MOTW) mitigation, these files were delivered in archive file formats such as .RAR and .ZIP, or in optical disk image (.ISO) file formats. Despite continuous testing of the initial infection vectors, the actors persisted in using the same final payload. The Chinotto cluster still employs the Chinotto PowerShell script as a final payload, which is responsible for executing Windows commands on the victim’s computer. Similarly, the RokRat malware is delivered to the victim through a complicated infection procedure. This shows that the threat actor is putting a lot of effort into the initial infection vector, while still relying on the same final payload.
While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering to gain a foothold in a target organization or compromise an individual’s device, others have refreshed their toolsets and expanded the scope of their activities. Our regular quarterly reviews are designed to highlight the most significant developments among APT groups.
Here are the top trends we’ve seen in Q2 2023:
- One of the main highlights of the quarter was the discovery of the long-running Operation Triangulation campaign, including the previously unknown iOS malware platform.
- We’ve become accustomed to seeing established threat actors enhancing their toolsets over time. So far, this year has been no different – in particular, this includes Lazarus’s development of its MATA framework, the new delivery methods and programming languages used by BlueNoroff, new infection methods used by ScarCruft and new malware samples from GoldenJackal.
- We also saw a campaign from the newly discovered threat actor Mysterious Elephant.
- We continue to see threat actors using a variety of different programming languages.
- APT campaigns continue to be geographically dispersed. This quarter, we saw actors focusing their attacks on Europe, Latin America, the Middle East and various parts of Asia.
- Geopolitics remains a key driver of APT development, and cyber-espionage continues to be a prime goal of APT campaigns.
As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.
Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other-speaking” languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.