APT (Targeted attacks)

Some time ago while tracking Winnti group activity we came across a standalone utility with the name HDD Rootkit for planting a bootkit on a computer. During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems.

Kaspersky Lab researchers presented a closing keynote and three other papers related to targeted attacks and APT research at Virus Bulletin 2015 in Prague.

Famous Chinese-speaking cybercriminal APT actor Winnti has been observed targeting pharmaceutical businesses. New threat, which Kaspersky Lab has called “HDRoot” after the original tool’s name “HDD Rootkit”, is a universal platform for a sustainable and persistent appearance in a targeted system, which can be used to launch any other tool.

Gaza cybergang is a politically motivated Arabic cybercriminal group operating in the MENA (Middle East North Africa) region, mainly Egypt, United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in Q2 2015.

When you are an APT group, you need to deal with the constant seizure and takedown of C&C domains and servers. Some of the most advanced threat actors have found a solution — the use of satellite-based Internet links. In the past, we’ve seen three different actors using such links to mask their operations. The most interesting and unusual of them is the Turla group.

The main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. The attack is still active and the number of victims has been increasing.

In 2015, many of Darkhotel’s techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.

Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems.

A powerful threat actor known as “Wild Neutron” has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

Winnti malware has been spotted being used against pharmaceutical industry.

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT.

We have described how Duqu 2.0 does not have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

Kaspersky Lab uncovers Duqu 2.0 – a highly sophisticated malware platform exploiting up to three zero-day vulnerabilities.

Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. Since that, we reported on many other advanced malware platform. Looking back at the discovery of Flame, here are some lessons we learned.

For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea.