APT (Targeted attacks)

A threat actor, likely operating from India, was undertaking aggressive cyber-espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs.

Kaspersky Lab discovers CVE-2016-4171 used in limited targeted attacks to compromise high profile victims.

Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability.

Instead of developing customized hacking tools or buying them from third-party suppliers on the criminal underground, cyberespionage threat actors are using tools available on the web for research purposes. Several cyberespionage campaigns utilizing such tools have been spotted recently by experts.

Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals.

Recently Patrick Wardle published an analysis of a new Backdoor and Dropper used by HackingTeam. It looks like the samples mentioned in the blog were found in-the-wild, so we decided to see how this latest Backdoor works.

Kaspersky Lab has joined industry alliance driven by Novetta to announce Operation Blockbuster. The goal of the operation is to disrupt the activity of the Lazarus Group – a highly malicious entity responsible for data destruction as well as conventional cyber-espionage operations against multiple companies around the world.

Kaspersky Lab researcher Vitaly Kamluk gave a talk about the latest version of the cross-platform Adwind RAT. The remote access Trojan is unique in that it’s written in JavaScript, giving this version — which is also known as Frutas, AlienSpy and JSocket — the flexibility to be used liberally in cybercrime operations as well as in targeted attacks.

Kaspersky Lab exposes first ever publicly known Brazilian Portuguese cyberespionage campaign targeting financial institutions as well as telecommunications, manufacturing, energy and media companies. Poseidon Group is a commercial entity whose attacks involve custom malware digitally signed with rogue certificates deployed to steal sensitive data from victims.

Adwind – a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform. Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world.

A year after Kaspersky Lab warned that cybercriminals would start to adopt the tools and tactics of nation-state backed APTs in order to rob banks, the company has confirmed the return of Carbanak and uncovered two more groups: Metel and GCMAN.

Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document.

The hacking of Hacking Team was widely discussed in the media from many different points of view, such as the legality of selling spyware to oppressive governments, the quality of the tools and leaked email spools displaying the company’s business practices. One of these stories attracted our attention.

Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.

The end of the year is traditionally a time for reflection – for taking stock of our lives before considering what lies ahead. We’d like to offer our customary retrospective of the key events that have shaped the threat landscape in 2015.