Advanced Persistent Threat


NEWS 
  • Iranian cyberspies leave training videos exposed online

    July 16, 2020

    One of Iran’s top hacking groups has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action. Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits. According to X-Force analysts, the videos were recorded ...

  • Evilnum hackers use the same malware supplier as FIN6, Cobalt

    July 9, 2020

    Hackers in the Evilnum group have developed a toolset that combines custom malware, legitimate utilities, and tools bought from a malware-as-a-service (MaaS) provider that caters to big fintech threat actors. The group has been active since at least 2018 and focuses on companies from the financial technology sector that offer trading and investment platforms. Its targets are ...

  • New Android Spyware Tools Emerge in Widespread Surveillance Campaign

    July 1, 2020

    Researchers have uncovered a surveillance campaign, dating back to at least 2013, which has used a slew of Android surveillanceware tools to spy on the Uyghur ethnic minority group. The campaign uses three never-before-seen Android surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal, and one previously disclosed tool, DoubleAgent. The purpose of these tools is to gather and ...

  • StrongPity APT Back with Kurdish-Aimed Watering Hole Attacks

    June 30, 2020

    he APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine. The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a ...

  • Microcin is here

    June 19, 2020

    In February 2020, we observed a Trojan injected into the system process memory on a particular host. The target turned out to be a diplomatic entity. What initially attracted our attention was the enterprise-grade API-like (application programming interface) programming style. Such an approach is not that common in the malware world and is mostly used ...

  • InvisiMole Group Resurfaces Touting Fresh Toolset, Gamaredon Partnership

    June 18, 2020

    The InvisiMole threat group has resurfaced in a new campaign, revealing a new toolset and a strategic collaboration with the high-profile Gamaredon advanced persistent threat (APT) group. InvisiMole was first uncovered by ESET in 2018, with cyberespionage activity dating back to 2013 in operations in Ukraine and Russia. More recently, from late 2019 until at least this month, researchers ...

  • AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations

    June 17, 2020

    When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista ...

  • Russia says Germany has not provided any evidence of Bundestag hack

    June 12, 2020

    Russian officials said this week that German authorities have failed to produce the evidence that Russian military hackers breached the German Parliament in 2015. The statement is in relation to an arrest warrant that Germany filed at the end of May, when they charged a Russian hacker named Dmitriy Sergeyevich Badin. German prosecutors said Badin was a ...

  • Gamaredon hackers use Outlook macros to spread malware to contacts

    June 11, 2020

    New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts. The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims. Gamaredon ...

  • Espionage Group Hits U.S. Utilities with Sophisticated Spy Tool

    June 9, 2020

    The APT known as TA410 has added a modular remote-access trojan (RAT) to its espionage arsenal, deployed against Windows targets in the United States’ utilities sector. According to researchers at Proofpoint, the RAT, called FlowCloud, can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer, with the ability ...

  • Cycldek: Bridging the (air) gap

    June 3, 2020

    While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus ...

  • Threat Assessment: Hangover Threat Group

    June 3, 2020

    Unit 42 researchers recently published on activity by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON) carrying out targeted cyberattacks deploying BackConfig malware attacks against government and military organizations in South Asia. As a result, we’ve created this threat assessment report for the Hangover Group’s activities. The techniques and campaigns can be visualized using the Unit 42 ...

  • Turla APT Revamps One of Its Go-To Spy Tools

    May 26, 2020

    The Turla APT group has been spotted using an updated version of the ComRAT remote-access trojan (RAT) to attack governmental targets. Turla (a.k.a. Snake, Venomous Bear, Waterbug or Uroboros), is a Russian-speaking threat actor known since 2014, but with roots that go back to 2004 and earlier, according to previous research from Kaspersky. “It is a ...

  • Chafer APT Hits Middle East Govs With Latest Cyber-Espionage Attacks

    May 22, 2020

    Researchers have uncovered new cybercrime campaigns from the known Chafer advanced persistent threat (APT) group. The attacks have hit several air transportation and government victims in hopes of data exfiltration. The Chafer APT has been active since 2014 and has previously launched cyber espionage campaigns targeting critical infrastructure in the Middle East. This most recent wave of cyberattacks ...

  • Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments

    May 12, 2020

    Tropic Trooper, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities. Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such ...

  • Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

    May 11, 2020

    Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia. The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including ...

  • North Korean hackers infect real 2FA app to compromise Macs

    May 9, 2020

    Hackers have hidden malware in a legitimate two-factor authentication (2FA) app for macOS to distribute Dacls, a remote access trojan associated with the North Korean Lazarus group. Dacls has been used to target Windows and Linux platforms and the recently discovered RAT variant for macOS borrows from them much of the functionality and code. The threat actor planted the ...

  • Naikon’s Aria

    May 8, 2020

    Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This ...

  • APT trends report Q1 2020

    April 30, 2020

    For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They ...

  • APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management

    April 22, 2020

    From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China’s Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 ...