Reader Advisory

Some articles posted in The SlickMaster's Files may contain themes, languages, and content which may neither appropriate nor appealing to certain readers. READER DISCRETION is advised.

14 August 2020

Kaspersky's Q2 research reports states further emergence of APT activities

08/08/2020 01:28:45 PM



For a lot of people, 2020 has been a plagued year with the series of bad news and the COVID-19 pandemic locking down the planet. However, it is just a normal year for cybercriminals and APT (Advanced Persistent Threats) groups alike.


Well, life really goes on as the world-plaguing disease has been actively used as bait for many campaigns, large and small.  The word from Kaspersky has it; its researchers have seen the continuous development of APT arsenals on different fronts – from targeting new platforms and active vulnerability exploitation to shifting to new tools entirely. These and other APT trends from across the world are covered in Kaspersky’s latest quarterly threat intelligence summary.

A three-month APT trends summary for the last quarter is based on Kaspersky’s private threat intelligence research, as well as other sources that cover the major developments the company’s researchers believe the corporate sector should be aware of. During the same period, the company's researchers observed multiple developments in the TTPs (Tactics, Techniques, and Procedures) of APT groups across the world. The most significant changes were implemented by the following groups:

The Lazarus group, which has been a major threat actor for several years, now is investing even further in attacks for financial gain. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. This quarter, Kaspersky researchers were also able to identify that Lazarus started operating ransomware – an atypical activity for an APT group – using a multi-platform framework called MATA to distribute the malware. Previously, Lazarus has been associated with the infamous WannaCry attack.

CactusPete, a Chinese-speaking threat actor, now commonly uses ShadowPad – a complex, modular attack platform that features plugins and modules for diverse functionalities. ShadowPad has been previously deployed in a number of major cyber-attacks, with a different subset of plugins used in different attack cases.

The MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, Kaspersky researchers reported activity against telecommunication companies and governmental organizations in the Middle East. Kaspersky recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.

The HoneyMyte APT carried out a watering hole attack on the website of a Southeast Asian government. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a “readme” file inciting the victim to execute a Cobalt Strike implant. The mechanism used to execute Cobalt Strike was DLL side-loading, which decrypted and executed a Cobalt Strike stager shellcode.

OceanLotus, the threat actor behind the advanced PhantomLance mobile campaign, has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.

“The threat landscape isn’t always full of “groundbreaking” events, yet cybercriminal activity definitely has not been put on hold over the past few months. We see that the actors continue to invest in improvements to their toolsets, diversify attack vectors, and even shift to new types of targets. For instance, the use of mobile implants is no longer a novelty. Another trend we see is the move towards financial gain by some APT groups, such as BlueNoroff and Lazarus. Yet, geopolitics remains an important motive for many threat actors too,” comments Vicente Diaz, security researcher, Global Research and Analysis Team, Kaspersky.

“All these developments only highlight the importance of investing in threat landscape intelligence. Cybercriminals do not stop at what they have achieved already but continually develop new TTPs – and so should those who want to protect themselves and their organizations from attack,” adds Diaz.

In order to be spared from the dangers of any threat actors (known or unknown), Kaspersky is recommending the following steps:
  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyber-attack data and insights gathered by Kaspersky over more than 20 years. Free access to its curated features that allow users to check files, URLs, and IP addresses is available here
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training, and teach practical skills - for example through the Kaspersky Automated Security Awareness Platform


The Q2 APT Trends Report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting. Visit Securelist.com to find more about this report and email them for more info.

Author: slickmaster | © 2020 The SlickMaster's Files

No comments:

Post a Comment

Feel free to make a comment as long as it is within the bounds of the issue, and as long as you do it with decency. Thanks!