APT (Targeted attacks)

The main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan. The attack is still active and the number of victims has been increasing.

In 2015, many of Darkhotel’s techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.

Analyzing this malware we noticed that attackers implemented a capability of cloud drive usage to store malware samples and downloading them on infected systems.

A powerful threat actor known as “Wild Neutron” has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

Winnti malware has been spotted being used against pharmaceutical industry.

Let’s examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT.

We have described how Duqu 2.0 does not have a normal “persistence” mechanism. This can lead users to conclude that flushing out the malware is as simple as rebooting all the infected machines. In reality, things are a bit more complicated.

Kaspersky Lab uncovers Duqu 2.0 – a highly sophisticated malware platform exploiting up to three zero-day vulnerabilities.

Three years ago, on May 28th 2012, we announced the discovery of a malware known as Flame. Since that, we reported on many other advanced malware platform. Looking back at the discovery of Flame, here are some lessons we learned.

For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea.

The Naikon APT was one of the most active APTs in Asia. The attackers targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos and China. For years they have mined victims, apparently in search of geo-political intelligence.

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

There is currently some buzz about the Volatile Cedar APT activity in the Middle East, a group that deploys not only custom built RATs, but USB propagation components, as reported by Check Point.

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.