Using Kaspersky
Threat Attribution Engine, Kaspersky
researchers were able to link more than 300 samples of a backdoor called
Bisonal to a campaign by the advanced persistent threat actor (APT) CactusPete, a cyberespionage group active since at least 2012. This
latest campaign has focused on military and financial targets in Eastern Europe
and highlights the group's rapid development.
CactusPete, also known as Karma
Panda or Tonto Team, is a cyberespionage group that has been active since at
least 2012. This time, they've upgraded their backdoor to target organization
in the military and financial sectors in Eastern Europe, most likely in an
effort to gain access to confidential information. The speed at which the new
malware samples are being created suggest the group is rapidly developing.
Organizations in the region should be on alert.
This most recent wave of
activity was first noticed by Kaspersky researchers in February 2020 when they
spotted an updated version of the group's Bisonal backdoor. They linked this
sample with more than 300 others in the wild using Kaspersky
Threat Attribution Engine, a tool for analyzing
malicious code for similarities with code deployed by known threat actors, in
order to determine the group behind an attack.
All 300 samples appeared
between March 2019 and April 2020, a pace of about 20 samples per month, which
underscores the fact that CactusPete is developing rapidly. The group has
continued to refine its capabilities, gaining access to more sophisticated
code, like ShadowPad in
2020.
The functionality of the
malicious payload suggests the group is after highly sensitive information.
Once installed on the victim's device, the Bisonal backdoor it uses allows the
group to silently start various programs, terminate any processes, upload/download/delete
files, and retrieve a list of available drives. In addition, as the operators
move deeper into the infected system, they deploy keyloggers to harvest
credentials and download privilege escalation malware to gradually gain more
and more control over the system.
It's unclear how the
backdoor is initially downloaded in this latest campaign. In the past,
CactusPete has primarily relied on spear-phishing with emails that contain
malicious attachments. If the attachment is opened, then the device becomes
infected.
"CactusPete is a rather
interesting APT group because it's actually not that advanced-the Bisonal
backdoor included," said Konstantin Zykov, senior security researcher at
Kaspersky. "Their success comes not from sophisticated technology or
complex distribution and obfuscation tactics, but from a successful application
of social engineering tactics. They are able to succeed in infecting high-level
targets because their victims click on the phishing emails and open the
malicious attachments. This is a great example of why phishing continues to be
such an effective method for launching cyber attacks and why it's so important
for companies to provide their employees with training on how to spot such
emails and stay up-to-date on the latest threat intelligence so that they can
spot an advanced actor."
Learn
more about CactusPete's latest activity on Securelist.
To protect your institutions from CactusPete and other
APTs, Kaspersky experts recommend:
- Provide your Security Operations Center (SOC) team with access to the
latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and
tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of
incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
- Provide your staff with basic cybersecurity hygiene training, since many targeted attacks start with phishing or other social
engineering techniques. Conduct a simulated phishing attack to ensure that
they know how to distinguish phishing emails.
- To quickly link new malicious samples with known attack actors,
implement Kaspersky Threat Attribution Engine.