Director, Global Research & Analysis Team, Latin AmericaDmitry Bestuzhev is Director of Kaspersky’s Global Research and Analysis Team in Latin America, where he oversees the company’s anti-malware and threat intelligence research by experts in the region. Dmitry joined Kaspersky in 2007 as a Malware Analyst, monitoring the local threat landscape and providing preliminary analysis. By 2008, he had become Senior Regional Researcher for the Latin American region and was appointed to his current role in 2010. In addition to overseeing anti-malware research and analysis work, Dmitry produces intelligence reports and forecasts for the region and is frequently sought out by international media and organizations for his expert commentary on IT security. Dmitry’s wide field of expertise covers everything from high profile attacks on financial institutions to traditional cybercrime underground activity. Dmitry is also an expert in corporate security, cyber-espionage and complex targeted attacks and participates in various educational initiatives throughout the Americas. Dmitry has more than two decades of experience in IT security across a wide variety of roles and is fluent in English, Spanish and Russian.
The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.
A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before.
In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.
While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.