A newly discovered APT group, dubbed Calypso after a custom malware RAT that it uses, has been targeting state institutions in six different countries since 2016.
Government organizations in India (34 percent), Brazil and Kazakhstan (18 percent respectively), Russia and Thailand (12 percent respectively) and Turkey (6 percent) have all been successfully infiltrated at some point, according to analysts at Positive Technologies (PT), which first spotted the group in March.
To that point, the typical modus operandi of the threat actors consists of infiltrating the network perimeter by exploiting a Windows SMB remote code-execution vulnerability (CVE-2017-0143) or by using stolen credentials. Once inside the network, the group injects a backdoor RAT program – the Calypso web shell – that it uses to execute commands and upload utilities and malware (including well-known tools like Mimikatz, and the NSA hacking tools EternalBlue and EternalRomance), all in an effort to move laterally. The goal is to reach endpoints on a targeted organization’s LAN and steal confidential data. The APT also uses a variety of legitimate administrative tools, which helps it stay under the radar, PT pointed out.