APT (Targeted attacks)

Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. The internet, removable media and email continue to be the main sources of threats in the ICS environment.

The Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced persistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private APT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.

Targeted attacks and APT groups, new malware and the COVID-19 pandemic exploitation in the second quarter of 2020

In the second article, we describe a new Android implant used by Transparent Tribe for spying on mobile devices and present new evidence confirms a link between ObliqueRAT and Transparent Tribe.

DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don’t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information.

Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013.

A new CactusPete campaign shows that the group’s favored types of target remain the same. The victims of the new variant of the Bisonal backdoor were from financial and military sectors located in Eastern Europe.

Kaspersky prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits.

As an incident response service provider, Kaspersky delivers a global service that results in a global visibility of adversaries’ cyber-incident tactics and techniques on the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019.

This summary is based on our threat intelligence research and provides a representative snapshot of what we have published and discussed, focusing on activities that we observed during Q2 2020.

By investigating a number of targeted ransomware attacks and through discussions with some of our trusted industry partners, we feel that we now have a good grasp on how the ransomware ecosystem is structured.

The MATA malware framework possesses several components, such as loader, orchestrator and plugins. The framework is able to target Windows, Linux and macOS operating systems.

The two hours of our first “GReAT Ideas. Powered by SAS” session were not enough for answering all of the questions raised, therefore we try to answer them below.

In February 2020, we observed a Trojan injected into the system process memory on a particular host. The target turned out to be a diplomatic entity. We attribute this campaign with high confidence to the SixLittleMonkeys (aka Microcin) threat actor.

Today, we are announcing the release of KTAE, the Kaspersky Threat Attribution Engine. This code attribution technology, developed initially for internal use by the Kaspersky Global Research and Analysis Team, is now being made available to a wider audience.