2021 Q3 APT Trend Report (Part 1)

For more than four years, Kaspersky’s Global Research and Analysis Team (GReAT) has been publishing quarterly summaries of advanced persistent attack (APT) activity based on their attack intelligence research.

Most Notable Findings

The SolarWinds incident, which was reported last December, was notable because the attackers were extremely careful and the identities of the victims were high profile. Evidence suggests that the mastermind behind the attack, DarkHalo (aka Nobelium), has spent six months in OrionIT’s network perfecting their attack. In June, more than six months after SolarWinds-based DarkHalo, researchers observed DNS hijacking in multiple government zones in a CIS member state, allowing attackers to redirect traffic from government mail servers. Directed to a computer they control, possibly by obtaining credentials from the victim registrar’s control panel. When victims try to access their company mail, they are redirected to a fake web page. They were then tricked into downloading previously unknown malware. Dubbed Tomiris, the backdoor shares many similarities with the second-stage malware Sunshuttle (aka GoldMax) used by DarkHalo last year. However, there is also a lot of overlap between Tomiris and Kazuar, a backdoor associated with the Turla APT attacker. There are no similarities enough to connect Tomiris and Sunshuttle. However, this points to the possibility of having a common developer or sharing development code.

APT Activities in Russian-speaking Regions

During the quarter, researchers discovered several typical Gamaredon malicious infection files, droppers, and implants; this may indicate that malicious activity against the Ukrainian government is ongoing, possibly since May. Researchers have not yet been able to accurately identify the relevant infection chain because they can only retrieve a subset of the samples. But that didn’t stop the researchers from attributing it to Gamaredon. This article details the various dropper and decoder scripts, as well as an analysis of the DStealer backdoor and the large infrastructure that the researchers observed associated with this activity.

ReconHellcat is a little-known attacker that was publicly discovered in 2020. The first account of its campaign dates back to March of last year, in which MalwareHunterTeam tweeted a malicious implant in an archive, dubbed, with a COVID-related decoy filename containing a malicious executable.

BlackWater in turn drops and opens a decoy file and then contacts Cloudflare Workers as a C2 server, a method that other attackers would not normally use when used. Since this attack method was first discovered, similar TTPs have been used as part of other attacks covered by QuoIntelligence, suggesting that potential attackers are operating in a targeted fashion while tracking well-known government-related targets. This activity appears to continue until 2021, when researchers uncovered a series of recent attacks using the same techniques and malware to gain a foothold in diplomatic organizations based in Central Asia. In their private report, the researchers describe the campaign, looking at the various changes the attackers made to elements in the infection chain, likely as a result of previous public exposure of their activity.

Since then, researchers have discovered other files manipulated by ReconHellcat. A new campaign emerged between August and September with an evolving chain of infections. Zscaler researchers also describe the activity in an article. Some of the changes introduced in the updated campaign include relying on the Microsoft Word template (.dotm) for persistence instead of the Microsoft Word add-in (.wll) previously used. Still, some TTPs remain the same, as the new infection chain still delivers the same final implant, the Blacksoul malware, and still uses Cloudflare Workers as a C2 server. ReconHellcat targets government organizations and diplomatic targets in Central Asian countries such as Tajikistan, Kyrgyzstan, Pakistan and Turkmenistan. In addition, the researchers identified two countries not encountered in the previous wave of attacks: Afghanistan and Uzbekistan. So researchers think it is ReconHellcat.

Events in Chinese-speaking areas

An APT attacker suspected of being HoneyMyte modified the fingerprint scanner software installation package on a distribution server in a South Asian country. APT modifies a configuration file and adds a DLL with the .NET version of the PlugX injector to the installer package. During installation, even without a network connection. NET injector also decrypts the PlugX backdoor payload and injects it into the new svchost system process and attempts to send a beacon to the C2. Central government employees in a country in South Asia must use this biometric package to support recording attendance. Researchers have dubbed this supply chain incident and this particular PlugX variant SmudgeX, and the Trojan installer appears to have been around since March.

During 2020 and 2021, researchers detected a new ShadowPad loadout module called ShadowShredder that was used to attack critical infrastructure in multiple countries, including but not limited to India, China, Canada, Afghanistan, and Ukraine . Upon further investigation, the researchers also discovered other implants deployed through ShadowPad and ShadowShredder, such as the Quarian backdoor, PlugX, Poison Ivy, and other hacking tools. Notably, the Quarian backdoor and Poison Ivy show similarities to previous IceFog campaigns targeting users in Central Asia. ShadowPad is a highly sophisticated modular cyber attack platform that APT groups have been using since 2017. At the time, the researchers published a blog detailing the technical details of ShadowPad and its supply chain attack activity following its initial discovery, when it was deployed by an organization known as Barium or APT41. During the first quarter of 2020, researchers published a private report on the discovery of a sample of the x64 ShadowPad dropper. The load module uses a unique anti-analysis trick that involves the load module checking if it was loaded via a specific EXE file by looking at some hardcoded bytes in the load module’s memory space before decrypting the embedded shellcode . The ShadowShredder loader recently discovered by researchers does not use this technique, but instead employs a new method of obfuscation. The researchers’ report discusses the technical analysis of ShadowShredder and related activities for the second-stage payloads associated with ShadowShredder and ShadowPad.

ESET published a blog post in June describing a campaign targeting foreign ministers and telecommunications companies in Africa and the Middle East, which they dubbed “Backdoor Diplomacy”. Researchers are very confident in linking this campaign to CloudComputating’s attackers, which are targeting well-known targets in the Middle East. During the investigation, ESET discovered a sample of a Quarian Linux variant that shared a C2 server with a Windows variant, which was reported to have been obtained by exploiting known bugs in F5 Networks’ BIG-IP traffic management user interface or configuration utility. RCE vulnerability (CVE-2020-5902) deployed. A year ago in July 2020, the SANS ISC report also mentioned deploying the same Quarian ELF binaries on the F5 BIG-IP server. This article extends the analysis of Quarian Linux variants and their links to Windows versions.

Last year, researchers described a campaign attributed to CloudComputating in which APT attackers exploited a known vulnerability to compromise publicly exposed Microsoft Exchange servers and infect them using the China Chopper web shell. The malicious payload is then used to upload other malware, usually the Quarian backdoor, which has been used by attackers since around 2010. The campaign affected Ethiopia, Palestine and Kuwait. ESET’s blog post enabled the researchers to link their activities to those described by the researchers last June, and to expand the researchers’ previous investigations to find new unknown variants and victims. This article will also cover the ESET version known as Turian, two other previously unknown Quarian versions, an overview of the builder components used to generate malicious Quarian libraries, and an extended list of IoCs.

ExCone is a series of attacks against targets in the Russian Federation that began in mid-March, with attackers exploiting a Microsoft Exchange vulnerability to deploy a previously unknown Trojan known as FourteenHI. In the researchers’ previous analysis, they found multiple links between infrastructure and TTP to ShadowPad malware and UNC2643 activity. However, the researchers were unable to attribute the attack to any known attackers. After the researchers’ first report, they discovered many other variants that expanded the researchers’ knowledge of the attackers and the campaign itself. Researchers have discovered new malware samples targeting a large number of targets, with victims located in Europe, Central Asia, and Southeast Asia. The researchers also observed a range of activities publicly reported by various other vendors, which the researchers were able to correlate with ExCone with high confidence. Finally, researchers discovered a new malware sample that allowed researchers to link ExCone to the SixLittleMonkeys APT group. Specifically, the researchers found a victim attacked by FourteenHI and another unknown backdoor. This new “unknown backdoor” shares similarities with FourteenHI and Microcin, a Trojan specific to SixLittleMonkeys.

This quarter, researchers also surveyed well-known attacks in South Asia. Researchers discovered another set of TTPs targeting the Indian Aerospace and Defense Research Agency between 2019 and the end of June 2021, containing two previously unknown backdoors: LGuarian and HTTP_NEWS. The former appears to be a new variant of the Quarian backdoor, which is also used by the attackers. Through tracking analysis, the researchers gained a wealth of information about the attacker’s post-exploitation process and were able to provide details of the various tools they used at this stage, as well as the actions performed on the victim’s device. This enables researchers to collect large numbers of malware samples and discover attacker infrastructure.

On June 3, Check Point released a report on surveillance against governments in Southeast Asia, blaming an attacker named SharpPanda for the malicious activity.

In April, researchers investigated a number of malicious installer files imitating Microsoft Update installer files, which were signed with a digital certificate stolen from a company called QuickTech.com. These fake installers Display very convincing visuals, which reflect a lot of effort by attackers to make them look legitimate. Its final payload is the Cobalt Strike beacon module, also configured with the “microsoft.com” subdomain C2 server. C2 domain code.microsoft[.]com is an idle DNS subdomain that the attackers registered around April 15, posing as the official Visual Studio Code website. Victims are tricked into downloading and executing these installers on their devices through a fake Microsoft Update Catalog webpage, also hosted on another slack subdomain of ‘microsoft.com’. While investigating the malicious installer file, the researchers came across other malicious binaries, and based on the clues gathered, the researchers assumed they were developed and used by the same attackers and were active from at least January to June. In this article, the researchers analyzed the extended toolset used by this attacker, which they named CraneLand.

In July, researchers discovered suspicious JavaScript (JS) content on two seemingly legitimate websites that were openly critical of China. The obfuscated JS is loaded from a remote domain that impersonates the Google brand and starts a malicious JS payload chain. The infected website still contained JS, but the researchers were unable to link any other malicious activity or infrastructure to this watering hole attack. The malicious JS does not appear to fit traditional cybercriminal goals, and its activity is quite unusual compared to what researchers have observed in other watering hole attacks. The researchers believe the malicious JS payload is designed to analyze and target individuals from Hong Kong, Taiwan or mainland China. Any connections to said malicious domains should be carefully checked for subsequent malicious activity.