Sophisticated APTs Diversify Toolsets in Q3 2019

Woburn, MA – October 16, 2019 – According to Kaspersky, advanced persistent threat (APT) activity in the third quarter of 2019 has indicated an increase in the usage and number of new and previously unknown malicious toolsets. This research highlights a consistent trend that threat actors are further diversifying their techniques to evade detection.

The three-month APT trends summary for the last quarter is derived from Kaspersky’s private threat intelligence research, as well as other sources that report on major developments that researchers believe everyone should be aware of.

In Q3 2019, Kaspersky researchers’ biggest observation is that APTs are expanding their toolsets’ across the world. The most significant changes include:

• Turla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, Kaspersky identified a new backdoor that was attributed with some degree of confidence to this APT group. The malware, named “Tunnus,” is a .NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its command-and-control servers. So far, the infrastructure has been built using compromised sites with vulnerable Wordpress installations. According to the company’s telemetry, Tunnus activity started in March and remained active.
• Turla has also wrapped its famous JavaScript KopiLuwak malware in a new dropper called “Topinambour.” This is a new .NET file that the group is using to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes help Turla dodge detection. The two KopiLuwak analogues, the .NET “RocketMan” Trojan and the PowerShell “MiamiBeach Trojan,” are used for cyber-espionage. It is possible that a threat actor deploys these versions when their targets are protected with security software that is able to detect KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware.
• HoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years and has focused on various targeting profiles. The campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. The actor’s attacks relied on a diversified number of tools: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts, .NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; and finally (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental African organization, it is possible that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence.
• In August, Dragos published an overview of attacks called “Oil and Gas Threat Perspective Summary”, which references an alleged new threat actor they call “Hexane.” Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Kaspersky analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research.

“Just as wepredictedlast year, in seeking to evade detection, threat actors refresh their toolsets and go into deep waters,” said Vicente Diaz, security researcher, Global Research and Analysis Team, Kaspersky. “This quarter, we have seen this clearly in the developments by a number of APT actors and campaigns across the globe. This is a challenge for researchers. When a new campaign is observed, it’s not always immediately clear whether the tools used are the result of an established threat actor revamping its tools, or a completely new threat actor making use of the tools developed by an existing APT group. Still, it highlighted the importance of investing in threat landscape intelligence. Knowledge is power, and you can only know where the danger might come from only informing yourself in advance.”

The APT trends report for Q3 summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com

To read the full APT Q3 2019 trends report, please visit Securelist.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:

Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812