APT (Targeted attacks)

Gaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the Middle East North Africa region. Group1 is the least sophisticated of the three attack Gaza groups.

TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018.

Further tracking of Lazarus activities targeting the financial sector enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Operation ShadowHammer is a newly discovered supply chain attack that leveraged ASUS Live Update software. While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.

Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation.

We have identified an overlap between GreyEnergy, which is believed to be a successor to BlackEnergy group, and a Sofacy subset called “Zebrocy”. Both used the same servers at the same time and targeted the same organization.

The Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations, both in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they continue to build out their malware set with a variety of scripts and managed code.

What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them? Not an easy question to answer. Still, with the benefit of hindsight, let’s try to approach the problem from different angles to get a better understanding of what went on.

All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

LuckyMouse, mobile Trojan Asacub, BusyGasper, KeyPass ransomware and other notable targeted attacks and malware stories of Q3 2018.

Frequently asked questions about DarkPulsar implant that was found in the “Lost in Translation” leak among other tools.

After the “Lost in Translation” leak was revealed, we noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed it and understood that it is not a backdoor itself, but the administrative part only.

For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users. We named the actor DustSquad and have provided reports on four of their campaigns. In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.

For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years, which amounts to around 85,000 entries. The aim is to give an overview of which APT groups are active in the Netherlands and what they are interested in.