APT trends report Q3 2022

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q3 2022.

Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact intelreports@kaspersky.com.

On July 7, CISA issued an alert, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector“, based on a Stairwell report about Maui ransomware. We can confirm a Maui ransomware incident in 2022, but we would expand their “first seen” date from the reported May 2021 to April 15, 2021, and the geolocation of the target to Japan and India. Since the malware in this incident was compiled on April 15, 2021, and compilation dates are the same for all known samples, this incident is likely to be the first involving Maui ransomware. No useful information is provided in the CISA report attributing the ransomware to a North Korean actor, but we found that approximately 10 hours prior to deploying Maui to the system the group also deployed a variant of DTrack to the system. This and other data points should help solidify attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly) with low-to-medium confidence. You can read our public report on Andariel’s use of DTrack and Maui here.

DTrack is a backdoor used by subsets of the Lazarus group. The backdoor has been used in a variety of attacks, including ransomware attacks and espionage campaigns. We have reported it several times in the past and also more recently, as it plays an important role in Lazarus’s activity. In March, we detected new DTrack samples packed in a different way and with relatively few changes in the code. In our report that will be published in November, we will analyze this latest set of samples in detail, describing the changes and the packing mechanisms. We will also highlight new victimology, including various targets across Europe.

Russian-speaking activity

We first documented the threat actor HotCousin in 2021 as a cluster of malicious activities leveraging the EnvyScout implant, publicly attributed to Dark Halo (NOBELIUM) by Microsoft. Our recent investigations show that this year, from February at least, HotCousin has attempted to compromise foreign affairs ministries in Europe, Asia, Africa and South America. The group’s TTPs remained consistent with those we described before. The victims are targeted with spear-phishing emails that trick them into mounting a malicious ISO file and double-clicking an LNK, which starts the infection chain. The first infection usually aims to install a downloader, which attempts to download other malicious implants from legitimate web services. The final payload is typically a commercially available implant such as Cobalt Strike. Some of these activities were also observed by other vendors, notably with descriptions of downloaders that obtain additional implants from external services such as Dropbox, Google Drive and Trello. In most cases, the targets appear to be diplomatic and government organizations in Europe. We are still unable to identify any significant link between HotCousin and Dark Halo/NOBELIUM or The Dukes/APT29; but the targets, techniques and tradecraft all coincide with activities that are publicly described as APT29.

Chinese-speaking activity

At the beginning of 2021, Kaspersky published a private report about the A41APT campaign. This report included technical details of malware used in the campaign, such as Ecipekac, SodaMaster, P8RAT, FYAnti and QuasarRAT. Together with our research partners, we observed the activities of the A41APT campaign throughout 2021 and presented this research at the Japan Security Analyst Conference 2022 (“What We Can Do against the Chaotic A41APT Campaign”). In December 2021, Trend Micro also published a blogpost about their investigation into the latest activities of the threat actor behind the A41APT campaign, which they named Earth Tengshe. Trend Micro believes that this campaign has strong connections to the APT10 threat actor. Their blogpost also introduced new malware, dubbed Jackpot – previously unknown fileless malware targeting IIS servers. Our research findings overlapped with Trend Micro’s on some of the new TTPs, such as updated versions of SodaMaster and Ecipekac and a new malicious fileless IIS module dubbed IISBack. However, we also discovered a new malicious implant that has been used by this actor to deploy SodaMaster since 2015: we named this module HUI loader. Our research also revealed the evolution of some of the malware implants used by this threat actor over the years, such as Ecipekac and SodaMaster.

Since April, we have detected a number of KeyPlug malware samples being deployed in the systems of high-profile victims in Asian countries, with some traces going back to late 2021. KeyPlug is a modular backdoor with the capability of communicating to its server via several network communication protocols set in its XOR-encrypted embedded configuration block. The server infrastructure is mostly based on Cloudflare CDN, with each of the malware samples we have collected containing only one domain and several IP addresses that all point to the same domain on the CDN network. Once connected to the server, the malware downloads further modules as plugins and loads them on the victim’s machine. The malware and the infrastructure used in these attacks have similarities with previously known APT41 activities. However, these attacks can only be attributed to APT41 with medium confidence; and it is also possible that another threat actor is behind the attacks.

We recently analyzed the targeting of online gambling platform development studios and IT recruitment organizations by DiceyF, using the GamePlayerFramework. This is related to older PuppetLoader code, but has been re-designed and re-written in C#. DiceyF steals code-signing certificates to digitally sign malware, embeds artefacts and strings within its malware mimicking the legitimate software signed with these certificates, and then distributes the signed malware via software distribution servers. Most targets were in Hong Kong and the Philippines, but there were also some in China and Vietnam.

In March, we observed the use of a Microsoft Word file as the infection vector in some attacks. In June, we found a SFX file using a decoy file containing Japanese content. We also discovered a new downloader shellcode, that we dubbed DOWNIISSA, used to deploy the LODEINFO backdoor. While the targets are Japanese and consistent with the usual victimology of APT10, we also found hints of possible operations in Russia and Malaysia. Furthermore, we investigated new versions of LODEINFO shellcode, namely v0.5.9, v0.6.2, v0.6.3 and v0.6.5, in March, April and May respectively. These findings show that APT10, which appeared to be inactive for some time, has resumed its activities with the new version of LODEINFO.

In April, our product detected CobaltStrike loaders in a diplomatic organization in APAC that has been targeted by several APT actors in the past. The loaders caught our attention because one of them displayed a legitimate digital signature from a software development company, whom we alerted to the incident. Digging deeper, we found several variants leveraging either HTTP or raw TCP communication protocols and discovered traces of post-exploitation activities related to them, as well as simultaneous use of Radmin and Gh0stRAT. Natural language artefacts and weak TTPs indicate that this attack may be attributed to Chinese-speaking attackers, but we were unable to tie this activity to any existing group. In fact, we couldn’t find any other use of the droppers presented in our report beyond this incident.

Middle East

We recently discovered and analyzed FramedGolf, a previously undocumented IIS backdoor that could only be found in Iran and which was designed to establish a persistent foothold in targeted organizations. Notably, the backdoor has been deployed after successful exploitation of ProxyLogon-type vulnerabilities on Exchange servers. The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022.

SoleDragon is complex malware used by the SilentBreak threat group. Kaspersky first discovered this malware in 2018, together with the CVE-2018-8453 vulnerability. In 2019, SoleDragon was also deployed through Skype. After that, there was no information about SoleDragon until we detected two new implants at the end of 2021. The implants, which targeted organizations in the Middle East, share code similarities with older SoleDragon samples. One of the newly discovered implants is a C++ backdoor, SoleExecutor, that waits for an activation message, then receives a DLL and launches it; the other implant is a keylogger we dubbed Powerpol.

In June, we identified a previously unknown Android spyware app that targets Persian-speaking individuals. SandStrike is distributed as a means to access resources about the Baháʼí religion that are banned in Iran. It provides victims with a VPN connection that can be used to browse these resources. The spyware itself collects various data from the victims’ devices, such as call logs or lists of contacts. During execution, it connects to the C2 server to request commands: these commands allow attackers to perform operations with the device file system.

DeftTorero (aka Lebanese Cedar, Volatile Cedar) is an APT actor that probably originates from the Middle East and is known to focus on victims in the same region. While its activities have been observed since 2012, its presence was only revealed in 2015 (Kaspersky was among the first to report it) and no public activity was recorded until January 2021. The public reports available to date expose and discuss the final payload – Explosive RAT – and the web shells used in the initial foothold, with little on TTPs. Our report focuses much more on the TTPs used by the threat actor in intrusions between late 2019 and mid-2021. Based on our telemetry, the January 2021 indicators do not necessarily represent new intrusions or new malware samples, as the detections were relatively old (between 2018 and 2020), and the Explosive RAT samples did not contain significant modifications. Analyzing previous intrusions, we suspect the gap in new detections is due to the fact that the threat actors were (and possibly still are) using fileless techniques and public offensive tools used by many threat actors, such as Metasploit, Mimikatz, Crackmapexec, known web shells, and other known tools. This gives the operators a level of anonymity in compromising their targets and victims.

Southeast Asia and Korean Peninsula

We observed a rise in the use of the DeathNote cluster recently. In March, we saw Lazarus use it against victims in South Korea. The actor possibly used a strategic web compromise, employing an infection chain similar to that which we previously reported, abusing an endpoint security program. However, we discovered that the malware and infection schemes have been updated. The attacker used a multi-stage infection, starting with the Racket Downloader. Through Racket Downloader, the operator deployed additional malware for further post-exploitation activity. In this phase, the actor used malware that we hadn’t seen before, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator conducted many hands-on keyboard activities. They lurked in this victim’s environment for a month and executed various commands to collect basic system information. Also, we observed how they attempted to find valuable hosts with high privileges, such as file servers or Active Directory servers. Lazarus Group delivered additional malware such as a keylogger and password-dumping tool to collect more information. Moreover, as a result of working closely with KrCERT, we had a chance to look into the adversary’s C2 scripts. They employed a similar C2 structure as before, compromising a web server and configuring a multi-stage C2 server, with the first stage server acting as a proxy server and the second stage server used for controlling victims.

We uncovered an ongoing campaign targeting defense contractors in South Africa and Brazil. The threat actor behind the attacks contacted potential victims via social media or email and sent the initial malware through Skype. The malware is a Trojanized PDF application that initiates a multi-stage infection chain, loading additional payloads that contain C2 communication capability via the DLL sideloading technique. Additionally, the threat actor deployed additional malware to the initial host to pivot and perform lateral movement. In this process, the operator took advantage of a relatively new DLL sideloading technique named ServiceMove. This technique was introduced by a red team researcher and abused the Windows Perception Simulation Service to load arbitrary DLL files for malicious purposes. This notorious threat actor operates several clusters and attacks various targets based on its intentions. In one of the victims, we observed a similar initial infection vector. However, the actor used different malware. Lazarus Group is equipped with various tools and employs them with various infection chains. While examining all the samples in this case, we observed different clusters: ThreatNeedle, Bookcode, and DeathNote.

For over a decade, the Tropic Trooper APT actor has been actively targeting victims in East and Southeast Asia. We have been tracking this threat actor for several years and previously published an APT threat report describing its malicious operations. Earlier this year, Symantec published a report describing a campaign called Antlion, which has been observed targeting financial institutions in Taiwan. While analyzing the IoCs of this campaign, we found strong connections with the Tropic Trooper threat actor, leading us to conclude that this group is behind the Antlion campaign. In our investigation, we discovered and studied different attacks conducted by this threat actor using the malware families described in Symantec’s blog post, together with new versions of the malware we reported in one of our reports on Tropic Trooper a few years ago. We managed to uncover the infection chain for these attacks, the attack infrastructure, lateral movement and post-exploitation activities carried out by this actor. Besides the finance sector, additional target verticals include the tech hardware and semiconductors industry, as well as a political entity. Furthermore, we discovered a previously unknown, multi-module backdoor deployed to a victim machine in August 2021 that uses the MQTT protocol for network communication with its C2 server. Tracing the history of this backdoor, it appears the module has been used by this threat actor since at least 2019 and only with a select set of targets.

Kimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group also updates its tools frequently. Recently, however, we had a chance to take a thorough look at how they configure their C2 servers and what kind of tricks they use to confirm and further validate their victims. The Kimsuky group configured multi-stage C2 servers with various commercial hosting services located around the world. We believe the attacks occur in several stages. First, the actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as a parameter. The first stage C2 server verifies that the incoming email address parameter is an expected one and delivers the malicious document if it’s in the target list. The first stage script also forwards the victim’s IP address to the next stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first stage server, to verify that it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks operating system type and predefined user-agent strings, to filter out requests from security researchers or auto-analysis systems. Our research underlines how the Kimsuky threat actor pays close attention to validating legitimate victims and delivering the next stage payloads to them.

Following our analysis report on Dropping Elephant’s activities last year, we continued to track this threat actor’s activities. The group has remained very active over the past year: we investigated numerous attacks against military, diplomatic and educational institutions in Pakistan and China. From analysis of the samples we collected, it’s clear that Dropping Elephant did not discard its traditional JakyllHyde RAT (aka BadNews), but in recent attacks we have seen a shift towards using PubFantacy, and we’ve even seen some features of JakyllHyde ported to PubFantacy. At the same time, we also found new malware developed using Delphi. Dropping Elephant’s main attack methods are still phishing and attacking vulnerable Office suites. Where CVE-2017-0261 was used before, CVE-2017-11228 replaces it.

Other interesting discoveries

On July 30, an actor going by the name Adastrea posted a message on two dark web forums that they were selling 60GB of confidential and restricted information belonging to MBDA, NATO, and the Italian Ministry of Defense. Adastrea is a brand-new account and defines itself as an independent group of specialists and researchers in cybersecurity. In another post on August 10, the actor offered 500MB of military intelligence data reportedly stolen from the Philippines. We weren’t able to acquire and analyze that leak. In its post from July, the threat actor also shared demo files hosted on MEGA (only 47MB), and wrote that they would discuss prices for the leak in a private chat, sharing their XMPP account and a Protonmail email address. Following these statements, MBDA denied any compromise in a press release. A week later, on August 7, the threat actor posted new evidence of exfiltrated data. Kaspersky ICS-CERT was able to obtain parts of the private exfiltrated data, which was analyzed with the help of the Kaspersky Global Research and Analysis Team to better understand the TTPs and veracity of the forum posts made by the threat actor.

We discovered a previously unknown backdoor in active use since at least December 2020. This backdoor’s primary purpose is to log and exfiltrate passwords, matching the functionality of the Security Support Provider (SSP) DLL it leverages. Along with the gathered passwords, the backdoor collects typical information about the infected system and provides the attacker with several commands to manipulate and execute files. This backdoor comprises an encrypted shellcode that allows the attacker to execute arbitrary code received over an encrypted channel. We have found a very limited set of victims in Japan and Ethiopia, and no ties to previously known malware families or threat actors.

In September, we published our analysis of Metatron, a new and very sophisticated malware platform that has been used to target telecoms companies, ISPs and universities in the Middle East and Africa. Metatron is a modular implant boot-strapped through a Microsoft Console Debugger script. The backdoor supports multiple transport modes and offers forwarding and port knocking features: it implements 67 different commands. The original samples were provided by SentinelOne and analysed in collaboration with them.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q3 2022:

  • APT campaigns are very widely spread geographically. This quarter, we have seen actors expand their attacks into Europe, the US, Korea, Brazil, the Middle East and various parts of Asia.
  • The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, defense contractors, the finance sector, the tech hardware and semiconductors sector and IT recruitment and gambling sectors.
  • Geopolitics remains a key driver of APT development and cyber-espionage continues to be a prime aim of APT campaigns. However, the use of ransomware by Andariel illustrates that this isn’t the only motive for APT attacks.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other”-speaking languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.