APT (Targeted attacks)

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far.

Back in October 2019 we detected a classic watering-hole attack that exploited a chain of Google Chrome and Microsoft Windows zero-days. In this blog post we’d like to take a deep technical dive into the attack.

Operation AppleJeus, news about Roaming Mantis, watering-hole websites in Asia, virus blast from the past and other targeted attacks and malware campaigns.

In autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. Later in November 2019 we revealed a new Trojan using the same code base as COMPFun.

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018.

Last year, we visited The MITRE Corporation and took part in the MITRE ATT&CK Evaluation Round 2. During this assessment, our technologies were tested against emulated attack techniques of the APT29 threat group.

For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. This is our latest installment, focusing on activities that we observed during Q1 2020.

In July 2019, a sophisticated backdoor trojan in Google Play was reported. We conducted an inquiry of our own, discovering a long-term campaign, which we dubbed “PhantomLance”, its earliest registered domain dating back to December 2015.

On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings.

A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page.

Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector.

Kaspersky has continued to track the Roaming Mantis campaign. The group’s attack methods have improved and new targets continuously added in order to steal more funds.

To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk.

After we wrote our private report on the OilRig leak, we decided to scan our archives with our YARA rule, to hunt for new and older samples. Aside from finding some new samples, we believe we also succeeded in finding some of the first Poison Frog samples.

What were the most interesting developments in terms of APT activity during the year and what can we learn from them?