Lockdown does not mean vacation: APT groups continue to update and diversify their arsenal

CYBERSECURITY

2020 is the year when nothing is the same and yet life goes on, for cybercriminals and APT groups alike. The COVID-19 pandemic is actively used as bait for many campaigns, large and small. Kaspersky researchers have seen the continued development of APT arsenals on different fronts – from targeting new platforms and active vulnerability exploitation to shifting to new tools entirely. These and other APT trends from across the world are covered in Kaspersky’s latest quarterly threat intelligence summary.

A three-month APT trends summary for the last quarter is based on Kaspersky’s private threat intelligence research, as well as other sources that cover the major developments the company’s researchers believe corporate sector should be aware of.

In Q2 2020, Kaspersky researchers observed multiple developments in the TTPs of APT groups across the world. The most significant changes were implemented by the following groups:

The Lazarus group, which has been a major threat actor for several years, now is investing even further in attacks for financial gain. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. This quarter, Kaspersky researchers were also able to identify that Lazarus started operating ransomware – an atypical activity for an APT group – using a multi-platform framework called MATA to distribute the malware. Previously, Lazarus has been associated with the infamous WannaCry attack.
CactusPete, a Chinese-speaking threat actor, now commonly uses ShadowPad – a complex, modular attack platform that features plugins and modules for diverse functionalities. ShadowPad has been previously deployed in a number of major cyber-attacks, with a different subset of plugins used in different attack cases.
The MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, Kaspersky researchers reported activity against telecommunication companies and governmental organizations in the Middle East. Kaspersky recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.
The HoneyMyte APT carried out a watering hole attack on the website of a Southeast Asian government. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a “readme” file inciting the victim to execute a Cobalt Strike implant. The mechanism used to execute Cobalt Strike was DLL side-loading, which decrypted and executed a Cobalt Strike stager shellcode.
OceanLotus, the theat actor behind the advanced PhantomLance mobile campaign, has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with an updated infrastructure.

“The threat landscape isn’t always full of “groundbreaking” events, yet cybercriminal activity definitely has not been put on hold over the past few months. We see that the actors continue to invest in improvements to their toolsets, diversify attack vectors and even shift to new types of targets. For instance, the use of mobile implants is no longer a novelty. Another trend we see is the move towards financial gain by some APT groups, such as BlueNoroff and Lazarus. Yet, geo-politics remain an important motive for many threat actors too,” comments Vicente Diaz, security researcher, Global Research and Analysis Team, Kaspersky. “All these developments only highlight the importance of investing in threat landscape intelligence. Cybercriminals do not stop at what they have achieved already but continually develop new TTPs – and so should those who want to protect themselves and their organizations from attack”.

The Q2 APT trends report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting. For more information, please contact: intelreports@kaspersky.com In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyber-attack data and insights gathered by Kaspersky over more than 20 years. Free access to its curated features that allow users to check files, URLs, and IP addresses is available here.
For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills - for example through the Kaspersky Automated Security Awareness Platform.

Read the full Q2 APT trends report on Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Send us your press releases to pressrelease.zawya@refinitiv.com

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.

Lockdown does not mean vacation: APT groups continue to update and diversify their arsenal

DISCOVER MORE

Msheireb Award for innovation in design launched

UAE and Kenya sign investment memorandum to develop mining and technology sectors

ADQ establishes finance and investment framework agreement worth up to USD 500mln

Estithmar Holding reinforces its expansion in the healthcare sector in Iraq

Investcorp launches a $1bln platform

ECA Board meets in Madrid as membership breaks through 600 clubs

The World Health Organization, cooperates with the Food Bank to launch the “Partnership for Healthy Cities” initiative

NBO holds Tamayuz programme graduation for emerging leaders

Victor moves headquarters to Abu Dhabi

Bitget Wallet’s COO explained web3 security strategies at Dubai conference

Albal Design launches UAE's first science based interior design concept

Binghatti launches its debut project adjacent to Dubai Hills

Dar Global announces partnership with Aston Martin to deliver stunning beachfront residences in Ras Al Khaimah, United Arab Emirates

Online site blocking bill pushed to curb digital piracy in Philippines

UAE: Education, aviation, healthcare most vulnerable to cyberattacks, say experts

Forum highlights need to secure telecom networks from cyberattacks in Oman

British Chamber highlights cybersecurity industry in boosting UK-PH trade

Local tech company helps drive cybersecurity awareness in Cebu, Philippines

LATEST VIDEO

VIDEO: Expect more extreme weather threats like UAE floods worldwide – Climate expert

ZAWYA COVERAGE

UAE’s ADQ sets up $500mln investment accord with Kenya

Commercial Bank of Dubai Q1 net profit up 22%; beats estimate

Investcorp, China Investment Corporation set up $1bln platform to invest in GCC, China

Development cost of Saudi Arabia’s 320,000 hotel room pipeline to hit $104bln – Knight Frank

Morgan Stanley Asia private equity unit to reorganise as CEO retires

US House Speaker Johnson heckled and booed at Columbia, center of Gaza protests

Bird flu in humans? Experts see little risk

We're full! Europe's fight against overtourism

DRC accuses Apple of using illegally-exploited minerals: lawyers

THE BRI REPORT

China’s flagship global infrastructure initiative is changing in the face of potent headwinds