For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2023.
Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact [email protected].
The most remarkable findings
While investigating possible Turla activities, we discovered that the TunnusSched backdoor (aka QUIETCANARY) was being delivered from a Tomiris implant. Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla. So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate.
In late 2022, we discovered a framework called CloudWizard that has been used to target individuals and organizations located in the Russo-Ukrainian conflict area. This framework has been used since at least since 2017, with active infections continuing. It is intended for cyber-espionage, and its features include keylogging, recording using the microphone, taking screenshots and stealing website passwords and email messages. CloudWizard has similarities to Operation Groundbait, a campaign discovered by ESET, and to BugDrop, a campaign discovered by CyberX in 2017. Additionally, we discovered ties between CloudWizard and the CommonMagic framework, which we reported in January.
During our investigation into Tomiris’s activities in 2022, we identified the use of a previously undocumented implant developed in Rust, dubbed “JLORAT”, which was in operation as early as August 2022 and remained active into 2023.
We discovered a new in-memory implant, called TargetPlug, that has been used to target game developers in South Korea since at least October 2022. Further analysis revealed that the malware is signed with valid certificates and appears to have a connection to the threat actor Winnti, a connection established through several overlaps such as shared infrastructure, code signing and victimology. We reported the misuse of the stolen “Zepetto Co.” certificate via the appropriate channel.
We have identified ongoing spear-phishing campaigns targeting Middle Eastern countries dating back to July 2021. We assess that MuddyWater, a threat actor believed to originate from the same region, is operating these campaigns. Based on our analysis, MuddyWater was able to infect several victims in the Middle East and North Africa. The group went after high-profile entities operating in the government, aviation, energy, telecoms and banking sectors. Our investigation led us to identify the targets of interest to the attackers in this campaign. In fact, a number of spear-phishing emails seem to have been crafted and sent to employees of companies in Saudi Arabia, Turkey, the UAE, Egypt, Jordan, Bahrain, Canada, Kuwait, Israel, Syria, Azerbaijan, Armenia and Malaysia.
In late December last year, we spotted malware that relies on Microsoft Exchange for command-and-control (C2) communication and data exfiltration. Further analysis of the samples revealed it to be a variant of Oilrig’s Lookout malware, which we had reported earlier in 2020 and which targeted a ministry of foreign affairs entity in the Middle East and its branches worldwide. The new variant is also .NET-based, with several modifications in its execution flow compared to the original version; but still utilizing Exchange Web Services (EWS) via the victim’s mailbox for operations. Interestingly, one of the tools used during the intrusion is capable of informing the threat actor of password changes for the target organization’s users. This technique allows for stealthy, persistent access using valid credentials. The threat actor utilized embedded Proton Mail and Gmail addresses for data exfiltration. By analyzing the Proton Mail GPG signatures, we were able to determine that these email addresses were created on November 30, 2022, indicating that this is a recent campaign. While the initial method of entry remains uncertain, our analysis of the malware and tools used suggest that the threat actor likely continues to operate using credentials obtained from previous intrusions, which we found in one of the tools used in this campaign.
We spotted another intrusion-set and malware samples affecting an IT company in the Middle East since early August 2022. We found evidence to suggest, with medium confidence, that the IT company intrusion is linked to OilRig and its recent attack. The threat actor employed a typical Word document containing malicious macros, utilizing a job recruitment theme, to deliver PowerShell-based malware implants that collect sensitive information, including user and server credentials. Putting this into context, the threat actor could abuse the collected credentials to exploit the supply-chain relationship and compromise the IT company’s clients.
In January, we identified new malware written in the .NET language for remote console command execution that was used in a campaign dating back to December 2022. Further investigation led us to uncover what appears to be a new malicious actor, which we dubbed Trila, targeting Lebanese government entities. This actor’s toolset primarily consists of simple, homebrewed malware that enables them to remotely execute Windows system commands on infected machines. The information gathered is then exfiltrated to a legitimate interact.sh project instance that serves as a C2. In addition to the .NET malware, we also discovered Go and Rust variants of a simple, custom SOCKS proxy tool used to redirect C2 communications within the victims’ environment.
LoneZerda is an APT threat actor that is believed to have originated from Libya, with evidence of activity dating back to 2017. The actor was first publicly disclosed by Checkpoint in July 2019 and is known to use politically themed Facebook pages to trick victims into downloading and executing malware. Our findings indicate that the group was targeting diplomatic entities in countries beyond the initially reported scope (i.e., Libya), but still primarily within the Middle East. We identified indicators that the keylogging module used by the actor was still active on the computers of high-profile victims at the time we wrote our private report, although the attacker’s infrastructure had been sinkholed in March 2020. Our report sheds light on various intrusion aspects not covered by publicly available research to help organizations in the same industry verticals or in the same region to protect, detect and hunt for this activity.
Southeast Asia and Korean Peninsula
We published our analysis of observed activity over the past year and a half related to the Origami Elephant threat actor. The group has been found to use two distinct attack chains; one for deploying the known Agent K11 framework and the other for deploying the RTY framework (a successor of YTY AES). Most of the initial stages rely on macro scripts, which retain traditional script structure but also introduce new tricks. Additionally, two new simple downloaders, MinHus and Stage, were identified. These payloads are new versions of the Simple Uploader. The group has also been observed starting to use more complex algorithms to obfuscate strings, instead of simple XOR or addition and subtraction, in an effort to evade detection and attribution.
We recently investigated ScarCruft’s new malware strains and C2 server data. ScarCruft focuses on spying on individuals related to the North Korean government (including what appears to be North Korean workers abroad) and uses tools such as Chinotto for its operations. Our research uncovered a new malware strain developed in the Go language using a legitimate cloud messaging service (ably.com) as a C2 mechanism for the first time. Our monitoring of this ably.com channel shed unprecedented light on ScarCruft activities. The attackers tried to spread additional scripts for persistence and new payloads using their malware. Compromised web servers were used to host these payloads; and we detected suspicious command files on the C2 servers. We captured these commands and identified a new final payload, SidLevel, with extensive capabilities to steal sensitive information from victims. We also got access to data stolen from ScarCruft’s victims. The group continues to target individuals related to North Korea, including novelists, academic students, and also business people who appear to send funds back to North Korea.
We observed a Lazarus campaign, active until January 2023, leveraging a backdoored UltraVNC client to deliver an updated BLINDINCAN payload. The payload has new features, including plug-in-based expanding capabilities. Backdooring prominent open-source programs is one of the means that the Lazarus group has been using to deliver its malware. When executed, the compromised application functions normally but covertly collects victim information and transmits it to the C2 servers. Our telemetry shows evidence of a memory-resident payload being retrieved by the backdoored client. The delivered payload was identified as BLINDINCAN, which we have seen being delivered as second-stage malware before. This updated version of BLINDINCAN shares similar characteristics with previous iterations, such as C2 communication, encryption methods and infection procedure. However, it introduced new features, including plug-in-based expanding capabilities. Analyzing and cracking the Trojanized application’s communications, we discovered information about possible victims in the manufacturing and real-estate sectors in India as targets. Additional analysis of the C2 servers, compromised since early 2020, suggests additional targeting of telecoms companies in Pakistan and Bulgaria. We believe that this campaign is not limited to these countries and sectors.
DTrack is a backdoor that has been used by Andariel (aka StonedFly and Silent Chollima), a subset of Lazarus, for almost a decade in a wide variety of attacks, including deploying ransomware as well as espionage malware. In our previous publication about DTrack, we discussed how the backdoor evolved from its previous versions to the current version in use, as well as the new victimology. In our latest private report, we revisited a campaign from 2022 and expanded on the commands the attackers used to deploy DTrack and the accompanying post-exploitation tools and malware (e.g., 3proxy and Yamabot) deployed thereafter. We identified that the attackers probably exploited servers running vulnerable versions of Log4j to gain an initial foothold, as others have reported. Furthermore, investigating the attacker’s infrastructure helped connect additional Yamabot infections with this incident. We identified several target profiles for related Yamabot deployments, all operating in the scientific research field (biomedical, genetics and soil sciences, and energy).
Other interesting discoveries
In March, we discovered a new malware strain actively targeting a government entity in Pakistan. We designated this malware “DreamLand”. The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect. It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities. This is the first time we have seen Lua used by an APT threat actor since its use by AnimalFarm and Project Sauron.
While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.
Here are the main trends that we’ve seen in Q1 2023:
- Established threat actors such as Turla, MuddyWater, Winnti, Lazarus and ScarCruft continue to develop their toolsets.
- There have also been campaigns from newly discovered threat actors such as Trila.
- We continue to see threat actors using a variety of different programming languages, including Go, Rust and Lua.
- APT campaigns continue to be very geographically dispersed. This quarter, we have seen actors focus their attacks on Europe, the US, the Middle East and various parts of Asia.
- The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, aviation, energy, manufacturing, real estate, finance, telecoms, scientific research, IT and gaming sectors.
- Geo-politics remains a key driver of APT development and cyber-espionage continues to be a prime goal of APT campaigns.
As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.
Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other-speaking” languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.