APT (Targeted attacks)

This report details a collection of tools used by MuddyWater threat actor on its targets after initial infection. It also details deceptive techniques used to divert investigations once attack tools have been deployed inside victim systems.

In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility. Now it is time to share more details about the research with our readers.

Gaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the Middle East North Africa region. Group1 is the least sophisticated of the three attack Gaza groups.

TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018.

Further tracking of Lazarus activities targeting the financial sector enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Operation ShadowHammer is a newly discovered supply chain attack that leveraged ASUS Live Update software. While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation.

We have identified an overlap between GreyEnergy, which is believed to be a successor to BlackEnergy group, and a Sofacy subset called “Zebrocy”. Both used the same servers at the same time and targeted the same organization.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code.

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them? Not an easy question to answer. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on.

All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

LuckyMouse, mobile Trojan Asacub, BusyGasper, KeyPass ransomware and other notable targeted attacks and malware stories of Q3 2018.

Frequently asked questions about DarkPulsar implant that was found in the “Lost in Translation” leak among other tools.

After the “Lost in Translation” leak was revealed, we noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed it and understood that it is not a backdoor itself, but the administrative part only.