APT activity

(Source – Shutterstock)

ESET: APT activity continues to wreak havoc globally

By | 15 May, 2023

Article by Nathan Hew

Advanced persistent threat (APT) activity continues to grow in ways that weaponize new technologies to cause more disruption and destruction. The damage is predicted to amount to US$10.5 trillion annually by 2025 — a 300% increase from 2015 levels.

ESET’s latest APT Activity Report summarizes the activities of selected APT groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023. 

From deploying a new Ketrican variant to utilizing spear phishing emails, here are some iconic APT incidents that occurred across the globe. 

ESET APT Activity Report: Four key takeaways 

China-aligned threat actors Ke3chang and Mustang Panda focused on European organizations. 

Recently, Mustang Panda launched a new campaign targeting Bulgaria, Australia, and Taiwan with a new custom backdoor ESET named MQsTang.

In January of 2023, ESET detected the compromise of a high-profile governmental organization in a European Union (EU) country. In two instances, Ke3chang deployed a new variant of its signature backdoor, Ketrican, with its new loader (KetriADS) since it could read, decrypt, and execute its payload from the alternate data stream of one of its modules. 

For the uninitiated, a backdoor attack occurs when threat actors create or use a backdoor to gain remote access to a system.

North Korea-aligned groups continued to focus on South Korea-related entities

ScarCruft, for instance, still uses ROKRAT, its flagship backdoor, as evidenced by a recent upload to VirusTotal from South Korea. The platform is a free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content.

Other files uploaded to VirusTotal from the same country exhibited a similar initial execution method as described in an AhnLab report

During the observed period, North Korea-aligned APT Andariel targeted a hospital in South Korea. The group used various payloads, including a  Nirsoft tool (password recovery tool) for collecting browser passwords or recovering network passwords. 

Kimsuky attacked a US-based expert on South Korea by using malware typical of the BabyShark cluster but connecting to previously unseen command-and-control servers (a computer-controlled by a cybercriminal that sends commands to systems compromised by malware and receives stolen data from a target network). 

CrowdStrike unveils AI for security to evade advanced cyber attacks.CrowdStrike unveils AI for security to evade advanced cyber attacks.

AI FOR SECURITY: CROWDSTRIKE’S RESPONSE TO UNCOVERING THE MOST ADVANCED ATTACKS

Muhammad Zulhusni | 15 August, 2022

In Israel, Iran-aligned group OilRig deployed a new custom backdoor. 

OilRig deployed a new custom backdoor, Mango, to a victim in the Israeli healthcare vertical. The APT group also deployed its latest version of SC5k, a downloader that uses the Microsoft Office 365 (O365) API to log in to a pre-established account and download and execute payloads stored as attachments to emails in the O365 account. 

OilRig previously targeted the victim in June and August 2021 with the Shark backdoor and a custom keylogger.

Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers.

Gamaredon continues to be one of the most active APT groups targeting Ukraine, aiming at stealing confidential information. On top of that, there has been a spear phishing campaign targeting governmental institutions in several EU countries. 

This campaign relies on known Gamaredon tactics: emails with an attached malicious HTML document. 

The group continues to adjust its tools to evade detection. Specifically, ESET observed increased attempts to store code parts of the Gamaredon toolset in the Windows registry. 

Another Russia-aligned APT group, Sandworm, continues to target various verticals in Ukraine, including the government, the energy sector, and the media.

In January 2023, ESET detected Sandworm’s deployment of a new wiper in Ukraine, dubbed “SwiftSlicer”. It was deployed using Active Directory Group Policy and the wiper is written in the Go programming language. 

With APT attacks becoming increasingly common, organizations need to ensure they have sufficient cybersecurity in place. While APT attacks are often harder to detect, organizations can still take the necessary steps needed and remain vigilant.  



READ MORE