APT (Targeted attacks)

For more than three years, GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat activity. This is our latest installment, focusing on activities that we observed during Q3 2020.

The DHS CISA agency released information about a malware family called SlothfulMedia, which they attribute to a sophisticated threat actor. We have been tracking this set of activity through our private reporting service, and we would like to provide the community with additional context.

In summer 2020 we uncovered a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. The malware authors named the toolset “MT3”; following this abbreviation we have named the toolset “MontysThree”.

We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.

Now, this unique year presents us with a new surprise: the second SAS in one calendar year! Once again, everyone can visit this online event.

On 3rd of September, we were hosting our webinar, in which we shared best practices on YARA usage. Due to timing restrictions we were not able to answer all the questions, therefore we’re trying to answer them here.

Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. The internet, removable media and email continue to be the main sources of threats in the ICS environment.

The Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced persistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private APT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.

Targeted attacks and APT groups, new malware and the COVID-19 pandemic exploitation in the second quarter of 2020

In the second article, we describe a new Android implant used by Transparent Tribe for spying on mobile devices and present new evidence confirms a link between ObliqueRAT and Transparent Tribe.

DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don’t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information.

Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013.

A new CactusPete campaign shows that the group’s favored types of target remain the same. The victims of the new variant of the Bisonal backdoor were from financial and military sectors located in Eastern Europe.

Kaspersky prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits.

As an incident response service provider, Kaspersky delivers a global service that results in a global visibility of adversaries’ cyber-incident tactics and techniques on the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019.