APT (Targeted attacks)

A powerful threat actor known as “Wild Neutron” has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

Winnti malware has been spotted being used against pharmaceutical industry.

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT.

We have described how Duqu 2.0 does not have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

Kaspersky Lab uncovers Duqu 2.0 – a highly sophisticated malware platform exploiting up to three zero-day vulnerabilities.

Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. Since that, we reported on many other advanced malware platform. Looking back at the discovery of Flame, here are some lessons we learned.

For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea.

The Naikon APT was one of the most active APTs in Asia. The attackers targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China. For years they have mined victims, apparently in search of geo-political intelligence.

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

There is currently some buzz about the Volatile Cedar APT activity in the Middle East, a group that deploys not only custom built RATs, but USB propagation components, as reported by Check Point.

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

EquationDrug represents the main espionage platform from the Equation Group. It’s been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophisticated GrayFish platform.

Over the years we have tracked multiple campaigns by an advanced threat actor we call Animal Farm. The group has targeted a wide range of global organizations.

Security researchers recently announced that that the official website for the Korean Central News Agency of the Democratic People’s Republic of Korea has been serving malware disguised as a Flash Player update.