Kaspersky experts recently discovered targeted espionage campaigns against financial and military organizations.
Using the Kaspersky Threat Attribution Engine, Kaspersky researchers were able to link more than 300 samples of the Bisonal backdoor to a campaign by the cyber espionage group CactusPete. This latest campaign by the APT group focuses on military and financial targets in Eastern Europe. How the backdoor used gets onto the victims' devices is still unclear.
CactusPete, also known as Karma Panda or Tonto Teaь, is a cyber espionage group that has been active since at least 2012. Your currently deployed backdoor targets representatives of the military and financial sectors in Eastern Europe, likely to gain access to confidential information.
First espionage attacks in February 2020
These recent activities by the group were first noticed by Kaspersky researchers in February 2020 when they discovered an updated version of the bisonal backdoor. With the help of the Kaspersky Threat Attribution Engine - an analysis tool to find similarities in malicious code from known threat actors - the backdoor could be associated with more than 300 other samples found “in the wild”. All samples were discovered between March 2019 and April 2020, around 20 samples per month. This suggests that CactusPete is developing rapidly. The group has continued to refine its skills and this year has gained access to more complex code like ShadowPad.
The functionality of the malicious payload suggests that the group is looking for highly sensitive information. After the backdoor installation on the victim's device, the group can use Bisonal to start various programs without being noticed, terminate processes, upload, download or delete files and call up a list of the available drives. As soon as the attackers have penetrated deeper into the infected system, a keylogger is used to collect credentials and download malware that allows permissions and thus gradually more control over the system.
CactusPete uses spear phishing emails
It is still unclear how the backdoor got onto the device in this campaign. In the past, however, CactusPete has relied heavily on spear phishing emails that contain malicious attachments to infect devices.
"CactusPete is an interesting APT group because it is actually not that advanced, including its bisonal backdoor," says Konstantin Zykov, security expert at Kaspersky. “Your success is not based on complex technology or sophisticated distribution and obfuscation tactics, but on successful social engineering. They manage to infect high-level targets by having their victims open malicious attachments in phishing emails. This is a good example of why phishing continues to be such an effective method of launching cyber attacks and why it is so important for companies to train their employees in how to recognize such emails and how to use threat intelligence to deal with them stay up to date with the latest threat. "
Kaspersky recommendations for protecting against APTs
- The Security Operations Center (SOC) team should always have access to the latest threat intelligence to stay abreast of new and future tools, techniques, and tactics used by threat actors and cybercriminals.
- Companies should implement an EDR solution such as Kaspersky Endpoint Detection and Response in order to be able to detect, investigate and react to incidents in good time.
- Employees should receive regular cybersecurity training [6] as many targeted attacks begin with phishing or other social engineering techniques. Simulated phishing attacks can help to test and train employees and to make them aware of cybercriminals.
- With Kaspersky Threat Attribution Engine, malicious samples can be quickly linked to known attackers.
More on this at SecureList from Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/