Advanced persistent threat (APT) activity in the third quarter shows an increase in the usage and number of new and previously unknown malicious toolsets, researchers said.

This research highlights a consistent trend showing attackers are further diversifying their techniques to evade detection, according to a report from Kaspersky.

The three-month APT trends summary for the last quarter is derived from Kaspersky’s private threat intelligence research, as well as other sources that report on major developments that researchers believe everyone should be aware of.

In the third quarter, Kaspersky researchers’ biggest observation is APTs are expanding their toolsets’ across the world. The most significant changes include:

Schneider Bold

• Turla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, Kaspersky identified a new backdoor that was attributed with some degree of confidence to this APT group. The malware, named “Tunnus,” is a .NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its command-and-control servers. So far, the infrastructure has been built using compromised sites with vulnerable WordPress installations. According to the company’s telemetry, Tunnus activity started in March and remained active.

• Turla has also wrapped its famous JavaScript KopiLuwak malware in a new dropper called “Topinambour.” This is a new .NET file the group is using to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes help Turla dodge detection. The two KopiLuwak analogues, the .NET “RocketMan” Trojan and the PowerShell “MiamiBeach Trojan,” are used for cyber-espionage. It is possible a threat actor deploys these versions when their targets are protected with security software able to detect KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware.

• HoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years and has focused on various targeting profiles. The campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. The actor’s attacks relied on a diversified number of tools: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts, .NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; and finally (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental African organization, it is possible that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence.

“Just as we predicted last year, in seeking to evade detection, threat actors refresh their toolsets and go into deep waters,” said Vicente Diaz, security researcher, global research and analysis team at Kaspersky. “This quarter, we have seen this clearly in the developments by a number of APT actors and campaigns across the globe. This is a challenge for researchers. When a new campaign is observed, it’s not always immediately clear whether the tools used are the result of an established threat actor revamping its tools, or a completely new threat actor making use of the tools developed by an existing APT group. Still, it highlighted the importance of investing in threat landscape intelligence. Knowledge is power, and you can only know where the danger might come from only informing yourself in advance.”

Click here to read the full APT Q3 2019 trends report.

Pin It on Pinterest

Share This