Short Summary:
In Q3 2024, APT groups from China, North Korea, Iran, and Russia intensified their cyber operations, employing sophisticated techniques and targeting critical infrastructure. Chinese APTs focused on network devices, North Korean actors escalated attacks on various sectors, Iranian groups expanded their espionage efforts, and Russian actors utilized social engineering tactics. The report emphasizes the need for vigilance and proactive cybersecurity measures.
Key Points:
- Chinese APTs like Earth Baku and Velvet Ant targeted critical infrastructure with advanced malware.
- North Korean groups escalated cyber espionage against energy, aerospace, and financial sectors.
- Iranian APTs employed custom malware and social engineering tactics across the Middle East.
- Russian actors used deceptive campaigns targeting diplomatic entities.
- Ongoing vigilance and user education are crucial in the evolving cybersecurity landscape.
MITRE ATT&CK TTPs – created by AI
- Command and Control – T1071
- Application Layer Protocol
- Command and Control – T1095
- Non-Application Layer Protocol
- Command and Control – T1573
- Encrypted Channel
- Defense Evasion – T1630.002
- Indicator Removal on Host: File Deletion
- Discovery – T1421
- System Network Connections Discovery
- Discovery – T1430
- Location Tracking
- Collection – T1430
- Location Tracking
- Collection – T1638
- Adversary-in-the-Middle
EXECUTIVE SUMMARY
In the third quarter of 2024, Advanced Persistent Threat (APT) groups from China, North Korea, Iran, and Russia intensified their cyber operations, showcasing heightened sophistication and strategic focus. Chinese APTs like Earth Baku and Velvet Ant targeted critical infrastructure, while groups such as APT41 expanded their scope globally, leveraging zero-day exploits and custom backdoors. North Korean actors escalated attacks against the energy, aerospace, and financial sectors using advanced spear-phishing techniques and sophisticated malware variants, and Iranian groups deployed custom tools across the Middle East, focusing on espionage against governmental and military targets. Russian actors, meanwhile, employed deceptive social engineering campaigns targeting diplomatic and governmental entities.
This report comprehensively analyses the dynamic APT activities observed in Q3 2024, emphasizing the need for ongoing vigilance, user education, and prompt software updates in the ever-evolving cybersecurity landscape.
KEY TRENDS OBSERVED IN Q3 2024
- Iranian APTs expanded their regional reach, with groups like MuddyWater and APT34 employing custom malware, such as BugSleep, and sophisticated social engineering tactics. Their campaigns targeted governments and critical infrastructure throughout the Middle East, reflecting a notable escalation in espionage efforts across the region.
- Russian APTs capitalized on zero-day vulnerabilities, with APT29 and APT28 specifically targeting n-day vulnerabilities in iOS and Chrome. They employed watering hole attacks and modular malware to successfully infiltrate diplomatic and government networks, enhancing their espionage capabilities.
- In this Quarter, Chinese APTs were observed shifting their focus to target critical network infrastructure. Groups like APT41 and Earth Baku deployed advanced malware, including ShadowPad and VELVETSHELL, to target network devices like Cisco Nexus switches.
- In Q3 2024, North Korean APTs escalated their cyber espionage campaigns, with groups like Kimsuky and Lazarus aggressively targeting Korean, Russian, and academic sectors, utilizing spear-phishing and advanced malware, such as MoonPeak and FPSpy.
IRANIAN APT ACTIVITIES
Targeted Country
- Yemen
- Saudi Arabia
- Egypt
- Oman
- UAE
- Qatar
- Turkey
- Israel
- India
- Portugal
- Azerbaijan
- Jordan
- USA
Targeted Technology
- Android
- Microsoft
- Remote Monitoring Tools
- Windows
Targeted Industries
- Government
- Military
- Municipalities
- Airlines
- Travel agencies
- Media
- Financial institutions
- Healthcare facilities
Houthi-aligned threat actor
Researchers have uncovered a sophisticated Android surveillanceware, “GuardZoo,” which is actively targeting military personnel across the Middle East. This malware, attributed to a Houthi-aligned threat actor, is distributed through social engineering tactics, using malicious apps, disguised with military and religious themes on platforms like WhatsApp and mobile browsers. GuardZoo has infected devices in Yemen, Saudi Arabia, Egypt, Oman, UAE, Qatar, and Turkey, with over 450 IP addresses linked to victims. Once installed, it extracts sensitive data, such as photos, documents, GPS data, and device configurations, while disabling local logging and exfiltrating files commonly used in GPS applications, including KMZ, WPT, RTE, and TRK extensions. Built on the Dendroid RAT framework, GuardZoo has introduced updated features, such as the installation of additional malware, increasing its capacity for intrusion. This campaign, which continues to evolve by deploying apps with religious and military themes, poses significant strategic risks to military forces and national security infrastructure across the region.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1095 | Non-Application Layer Protocol |
Command and Control | T1573 | Encrypted Channel |
Defense Evasion | T1630.002 | Indicator Removal on Host: File Deletion |
Discovery | T1421 | System Network Connections Discovery |
Discovery | T1430 | Location Tracking |
Collection | T1430 | Location Tracking |
Collection | T1638 | Adversary-in-the-Middle |
MUDDYWATER
MuddyWater, a persistent and sophisticated Iran-linked threat group, has expanded its phishing campaigns across the Middle East, targeting countries like Israel, Saudi Arabia, Turkey, India, Portugal, Azerbaijan, and Jordan. These attacks span multiple sectors, including municipalities, airlines, travel agencies, media, and government entities, highlighting their strategic objectives. The group typically uses spear-phishing emails from compromised accounts, with early lures promoting municipal apps, while more recent campaigns have shifted to general themes like webinar invitations, making them reusable across different targets. In May 2024, MuddyWater introduced the custom-made BugSleep backdoor, a sophisticated malware that partially replaces the use of legitimate remote monitoring tools. BugSleep features advanced evasion techniques, including multiple Sleep API calls to bypass sandboxes, DLL injection prevention, and encrypted communication with its Command and Control (C&C) server. Since February 2024, the group has sent over 50 spear-phishing emails to more than 10 sectors, showcasing their evolving tactics and adaptability. Their operations emphasize intelligence gathering and operational disruption, with an increased focus on higher-volume attacks and the deployment of customized malware like BugSleep.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1053 | Scheduled Task/Job |
Execution | T1129 | Shared Modules |
Persistence | T1053 | Scheduled Task/Job |
Privilege Escalation | T1053 | Scheduled Task/Job |
Privilege Escalation | T1055 | Process Injection |
Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1027.002 | Software Packing |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1112 | Modify Registry |
Defense Evasion | T1564 | Hide Artifacts |
Defense Evasion | T1564.001 | Hidden Files and Directories |
Discovery | T1057 | Process Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1518.001 | Software Discovery: Security Software Discovery |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1573 | Encrypted Channel |
APT34
A recent cyber-espionage campaign by Iranian APT34 (OilRig) has been targeting the Iraqi government, using a custom toolset and sophisticated Command and Control (C2) infrastructure. The operation, active for several months, combines techniques commonly associated with Iranian threat actors. It features custom DNS tunneling and email-based C2 channels, leveraging compromised email accounts within the target organization. Initial infections are triggered through social engineering, with files disguised by double extensions, such as “Avamer.pdf.exe” and “Protocol.pdf.exe,” uploaded to VirusTotal from Iraq between March and May 2024. Upon execution, PowerShell or Pyinstaller scripts drop malware and manipulate file access times, creating persistence via Windows registry entries. Two new .NET backdoors, Veaty and Spearal, are deployed, utilizing XML-based configuration files with base64 encoding. Spearal communicates via DNS tunneling using Base32 encoding, while Veaty relies on compromised gov-iq.net email accounts to issue commands and transfer files. This campaign underscores APT34’s ongoing efforts to penetrate regional government infrastructures with custom tools and advanced C2 mechanisms, reinforcing their role in cyber espionage across the Middle East.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1059 | Command and Scripting Interpreter |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Execution | T1106 | Native API |
Execution | T1129 | Shared Modules |
Persistence | T1137 | Office Application Startup |
Persistence | T1547 | Boot or Logon Autostart Execution |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Privilege Escalation | T1055 | Process Injection |
Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1055 | Process Injection |
Defense Evasion | T1620 | Reflective Code Loading |
Defense Evasion | T1027.002 | Obfuscated Files or Information: Software Packing |
Defense Evasion | T1027.009 | Obfuscated Files or Information: Embedded Payloads |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1070 | Indicator Removal |
Defense Evasion | T1070.006 | Indicator Removal: Timestamp |
Defense Evasion | T1112 | Modify Registry |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
Defense Evasion | T1562 | Impair Defenses |
Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
Defense Evasion | T1564 | Hide Artifacts |
Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Discovery | T1010 | Application Window Discovery |
Discovery | T1012 | Query Registry |
Discovery | T1018 | Remote System Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
Discovery | T1518 | Software Discovery |
Discovery | T1518.001 | Software Discovery: Security Software Discovery |
Credential Access | T1056 | Input Capture |
Collection | T1056 | Input Capture |
Collection | T1560 | Archive Collected Data |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1095 | Non-Application Layer Protocol |
Command and Control | T1573 | Encrypted Channel |
Impact | T1485 | Data Destruction |
PIONEER KITTEN
In Q3 2024, the FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) issued a joint advisory warning against Iran-based cyber actors known as Pioneer Kitten (also referred to as Fox Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm). Active since 2017, this group has targeted the U.S. and foreign organizations, including schools, municipal governments, financial institutions, and healthcare facilities, with a surge in activity as recently as August 2024. Pioneer Kitten, assessed to be linked with the Iranian government, has conducted network intrusions to steal sensitive technical data, particularly against organizations in Israel and Azerbaijan. A significant portion of their U.S.-focused efforts have been geared toward providing ransomware affiliates, such as NoEscape, Ransomhouse, and ALPHV (BlackCat), with full domain control and admin credentials. Pioneer Kitten not only facilitates initial access for ransomware deployments but also collaborates in locking networks and extorting victims, receiving a share of ransom payments for successful operations. Despite these ransomware collaborations, Pioneer Kitten primarily directs its activities towards entities aligned with Iranian state interests, particularly in sectors such as defense and technology, targeting organizations in Israel, Azerbaijan, and the UAE to steal sensitive information.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Reconnaissance | T1596 | Search Open Technical Databases |
Initial Access | T1190 | Exploit Public-Facing Application |
Initial Access | T1133 | External Remote Services |
Persistence | T1505.003 | Server Software Component: Web Shell |
Persistence | T1136.001 | Create Account :Local Account |
Persistence | T1098 | Account Manipulation |
Persistence | T1053 | Scheduled Task/Job |
Persistence | T1505 | Server Software Component |
Privilege Escalation | T1078.003 | Valid Accounts: Local Accounts |
Privilege Escalation | T1078.002 | Valid Accounts: Domain Accounts |
Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
Defense Evasion | T1562.010 | Impair Defenses: Downgrade Attack |
Credential Access | T1056 | Input Capture |
Execution | T1059.001 | Command and Scripting: PowerShell |
Discovery | T1012 | Query Registry |
Discovery | T1482 | Domain Trust Discovery |
Command and Control | T1219 | Remote Access Software |
Command and Control | T1572 | Protocol Tunneling |
RUSSIAN APT ACTIVITIES
Targeted Country
- Mongolia
- USA
Targeted Technology
- Windows Chrome
- iOS
Targeted Industries
- Government
APT28
A sophisticated phishing campaign, attributed to the Russian state-sponsored group Fighting Ursa (APT28), targeted diplomatic personnel earlier this year using a deceptive lure involving a car sale, a tactic known to resonate with diplomats. Victims were enticed to download a malicious ZIP archive containing a variant of the modular HeadLace backdoor, designed for persistence and capable of delivering secondary payloads. The campaign leveraged legitimate web services like Webhook.site to host malicious content, obfuscating the attack infrastructure and complicating detection efforts. This operation highlights Fighting Ursa’s evolving tactics, repurposing social engineering methods previously used by APT29, and increasingly relying on trusted digital platforms for evasion. The modular nature of HeadLace allows attackers to execute their attack in stages, enhancing their operational flexibility and ability to evade detection. Targeting diplomatic personnel aligns with Fighting Ursa’s history of espionage and intelligence gathering, underscoring the persistent threat they pose. Organizations must remain vigilant against phishing campaigns and enhance their detection and response capabilities to counter such advanced threats.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Defense Evasion | T1202 | Indirect Command Execution |
Defense Evasion | T1218 | System Binary Proxy Execution |
Defense Evasion | T1218.011 | System Binary Proxy Execution: Rundll32 |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Discovery | T1082 | System Information Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Command and Control | T1071 | Application Layer Protocol |
APT29
Between November 2023 and July 2024, multiple exploit campaigns targeted Mongolian government websites through a watering hole attack. These campaigns employed an iOS WebKit exploit and a Chrome exploit chain, leveraging vulnerabilities with existing patches to target unpatched devices. The attacks are assessed with moderate confidence to be linked to the Russian government-backed APT29. Notably, the exploits used were either identical or strikingly similar to those previously utilized by commercial surveillance vendors (CSVs), such as Intellexa and NSO Group.
The watering hole attacks initially compromised the Mongolian sites cabinet[.]gov[.]mn and mfa[.]gov[.]mn to deliver an exploit for CVE-2023-41993 targeting iOS versions older than 16.6.1. This exploit, involving a cookie stealer framework, was observed again in a similar form in February 2024. In July 2024, the focus shifted to Android users, with a Chrome exploit chain targeting CVE-2024-5274 and CVE-2024-4671 delivered through a newly compromised iframe.
The iOS attack involved a reconnaissance payload identifying device specifics before deploying the WebKit exploit to exfiltrate browser cookies. This exploit did not affect iOS 16.7 or devices with lockdown mode enabled. The Chrome attack, on the other hand, required an additional sandbox escape to bypass Chrome’s site isolation, employing obfuscated JavaScript to deliver the payload. The Chrome exploit involved storing status information using indexedDB and ultimately exfiltrated cookies, account data, login credentials, and browser history.
The exploits used in these campaigns were either identical or very similar to those from CSVs, indicating that APT actors are repurposing n-day exploits initially used as zero-days by commercial entities. Despite the overlap in exploit techniques, the delivery methods and secondary objectives of the campaigns exhibited differences.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Initial Access | T1189 | Drive-by Compromise |
Execution | T1203 | Exploitation for Client Execution |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Defense Evasion | T1027 | Obfuscated Files or Information |
Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers |
Discovery | T1082 | System Information Discovery |
Collection | T1114 | Email Collection |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
Impact | T1489 | Service Stop |
CHINESE APT ACTIVITIES
Targeted Country
- Africa
- Cambodia
- China
- Europe Georgia
- Germany
- Italy
- Myanmar
- Philippines
- Qatar
- Romania
- Singapore
- SouthEast Asia
- Spain Taiwan
- Thailand
- Turkey
- UAE
- United Kingdom
- United States
Targeted Industries
- Government
- Logistics
- Manufacture
- Trading
- NGO
- Shipping
- Telecommunications
- Technology
Targeted Technology
- IP Cameras
- Linux
- Google services
- Windows
- Routers
- IIS servers
VELVET ANT
The evolving cyber espionage landscape in Q3 2024 highlights the China-nexus group ‘Velvet Ant’ exploiting a zero-day vulnerability (CVE-2024-20399) in Cisco Nexus switches. This advanced attack involves bypassing the NX-OS command-line interface (CLI) using valid administrator credentials to access the underlying Linux operating system. By leveraging the vulnerability, Velvet Ant deployed a malware known as ‘VELVETSHELL,’ which remains undetected by conventional security tools due to the appliance’s restricted access to the OS layer.
The attackers utilized command injection techniques to execute malicious scripts, loading their backdoor binary into the system. The compromised system revealed multiple malicious activities, including the use of Base64-encoded commands and manipulating legitimate binaries like ‘curl’ to disguise the malware as system components, increasing stealth and persistence. This tactic underscores the threat actor’s capability to exploit network appliances as hidden access points within compromised environments.
The deployed malware offers extensive capabilities, including remote command execution, file transfers, and traffic tunneling, providing long-term control over compromised systems. Forensic analysis revealed that ‘VELVETSHELL’ is a customized hybrid of open-source tools, TinyShell, and 3proxy, allowing it to perform sophisticated espionage functions like data exfiltration and maintaining network persistence.
This activity reflects the group’s adaptation and escalation in techniques, moving from traditional endpoint compromises to exploiting critical network infrastructure, emphasizing the need for organizations to implement rigorous monitoring and logging measures on their network appliances to mitigate such advanced persistent threats.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1059.008 | Command and Scripting Interpreter: Network Device CLI |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Persistence | T1078.003 | Valid Accounts: Local Accounts |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Defense Evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Defense Evasion | T1036.003 | Masquerading: Rename System Utilities |
Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
Defense Evasion | T1574.006 | Hijack Execution Flow: Dynamic Linker Hijacking |
Discovery | T1018 | Remote System Discovery |
Discovery | T1046 | Network Service Discovery |
Discovery | T1049 | System Network Connections Discovery |
Discovery | T1057 | Process Discovery |
Lateral Movement | T1021.004 | Remote Services: SSH |
Lateral Movement | T1570 | Lateral Tool Transfer |
Command and Control | T1090.001 | Proxy: Internal Proxy |
APT41
APT41, also known as Barium, Wicked Panda, Wicked Spider, is a highly sophisticated Chinese-backed cyber threat group, renowned for its extensive cyber espionage and cybercrime operations. APT41 has conducted a sustained campaign targeting sectors like global shipping, logistics, technology, media, and automotive industries, mainly affecting organizations in Italy, Spain, Taiwan, Thailand, Turkey, and the UK. The group used ANTSWORD and BLUEBEAM web shells to deploy DUSTPAN, an in-memory dropper, which led to the execution of the BEACON backdoor for command-and-control operations. Later, APT41 utilized DUSTTRAP, a multi-stage plugin framework, enabling data exfiltration and advanced network operations.
The attackers employed SQLULDR2 to export Oracle database contents and PINEGROVE for exfiltrating data via OneDrive. Notably, DUSTTRAP executed payloads in memory, leaving minimal forensic traces, and used plugins for tasks, such as file manipulation, network probing, and Active Directory operations. APT41’s campaign also involved code-signing certificates, likely stolen from companies in the gaming industry, aligning with the group’s history of combining espionage with financially motivated activity. The operation demonstrates APT41’s capability to blend legitimate traffic with malicious actions, complicating detection efforts.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | Technique ID | Techniques |
Execution | T1129 | Shared Modules |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1218 | System Binary Proxy Execution |
Defense Evasion | T1218.011 | Rundll32 |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Command and Control | T1071 | Application Layer Protocol |
Researchers uncovered a sophisticated cyber-espionage campaign targeting a Taiwanese government-affiliated research institute In Q3 2024, which began as early as July 2023. The attack, attributed to APT41, a Chinese-linked threat group, involved the deployment of advanced malware, such as ShadowPad and Cobalt Strike. The attackers exploited an outdated Microsoft Office IME binary to deliver a second-stage loader, which initiated ShadowPad—a highly modular remote access trojan (RAT) commonly linked to Chinese threat actors.
The attackers employed several sophisticated techniques to establish and maintain persistence within the compromised network. They deployed webshells, leveraged RDP access, and utilized reverse shells to drop ShadowPad and Cobalt Strike payloads. In addition, a custom loader was used to exploit CVE-2018-0824, a remote code execution vulnerability, enabling local privilege escalation on the targeted systems.
APT41 also relied on PowerShell commands to download and execute additional malicious scripts from their command-and-control (C2) infrastructure, which was found to overlap with previous campaigns attributed to the group. Notably, they used a Bitdefender executable to sideload ShadowPad and an anti-antivirus Cobalt Strike loader sourced from a Chinese GitHub project, which used steganography to conceal its payload in images.
Once inside the network, the threat actors harvested credentials using tools like Mimikatz and WebBrowserPassView. They conducted network reconnaissance using basic system commands and exfiltrated sensitive data by compressing it into encrypted archives before transmitting it to remote servers. These actions, coupled with the observed infrastructure and tactics, techniques, and procedures (TTPs), strongly link the campaign to APT41.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | Technique ID | Techniques |
Execution | T1129 | Shared Modules |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1027.005 | Indicator Removal from Tools |
Defense Evasion | T1218 | System Binary Proxy Execution |
Defense Evasion | T1218.011 | Rundll32 |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Credential Access | T1056 | Input Capture |
Discovery | T1082 | System Information Discovery |
Collection | T1056 | Input Capture |
Command and Control | T1071 | Application Layer Protocol |
EARTH BAKU
In Q3 2024, researchers identified Earth Baku, a threat actor linked to APT41, expanding its operations beyond the Indo-Pacific region to Europe, the Middle East, and Africa (MEA), targeting countries such as Italy, Germany, UAE, and Qatar, with potential activity in Georgia and Romania. Earth Baku leverages public-facing applications, particularly IIS servers, for initial access and deploys a range of sophisticated malware tools, including the Godzilla webshell, StealthVector, StealthReacher, and the latest modular backdoor, SneakCross.
StealthVector and StealthReacher are customized loaders that launch backdoor components, employing advanced encryption (AES) and code obfuscation techniques. SneakCross, the group’s newest backdoor, uses Google services for command-and-control (C&C) communication and boasts a modular design that allows easy updates for varying operations. Post-exploitation, Earth Baku uses tools like a customized iox tool for reverse tunneling, Rakshasa for multi-level proxying, Tailscale for VPN connectivity, and MEGAcmd to exfiltrate data via MEGA cloud storage.
Victims include sectors such as government, telecom, media, technology, and healthcare, demonstrating the group’s broad target scope. Earth Baku’s new toolsets show advanced defense evasion techniques, including disabling Event Tracing for Windows (ETW) and Control Flow Guard (CFG), using DLL hollowing, and employing Windows Fibers to evade detection.
Overall, Earth Baku’s transition to more sophisticated malware and tactics, along with its expansion into new geographical regions, underscores its growing threat to global cybersecurity, necessitating enhanced defensive measures to mitigate the risks posed by this evolving adversary.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Initial Access | T1190 | Exploit Public-Facing Application |
Execution | T1059:001 | Command and Scripting Interpreter: PowerShell |
Persistence | T1543 | Create or Modify System Process |
Execution | T1203 | Exploitation for Client Execution |
Defense Evasion | T1027 | Obfuscated Files or Information |
Credential Access | T1003 | OS Credential Dumping |
Collection | T1119 | Automated Collection |
Exfiltration | T1041 | Exfiltration Over Command-and-Control Channel |
Impact | T1485 | Data Destruction |
EARTH LUSCA
In a recent development, researchers have discovered a new multiplatform backdoor named KTLVdoor, which has been linked to the Earth Lusca advanced persistent threat (APT), a Chinese-speaking group. This malware, written in Golang, has both Windows and Linux versions and has been observed in the wild masquerading as common system utilities like sshd, Java, SQLite, and bash. The use of dynamic libraries (.DLL or .SO files) as the malware’s agent enhances its ability to remain undetected while allowing the attackers to fully control the compromised environment.
KTLVdoor’s features enable attackers to execute commands, manipulate files, gather system and network data, perform remote port scanning, and transfer files between infected systems and their C&C (command and control) servers. The communication with C&C servers is encrypted using AES-GCM and messages are GZIP-compressed. A unique aspect of this malware is its support for both simplex and duplex communication modes.
The malware’s configuration is highly obfuscated and stored using a custom TLV-like format (Type-Length-Value), with parameters, such as C&C server details, connection timeouts, and sleep intervals being encrypted and encoded. Researchers discovered over 50 C&C servers hosted by a China-based provider, but it is unclear whether these servers are exclusive to Earth Lusca or shared with other Chinese-speaking APTs.
Although Earth Lusca is the primary group tied to this campaign, other Chinese-speaking APTs, such as Iron Tiger and Void Arachne, have also been known to target Chinese organizations, raising concerns about whether this infrastructure could be part of a broader collaborative effort. The campaign’s large-scale infrastructure suggests it could be an early-stage test for wider deployment.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | Technique ID | Techniques |
Execution | T1059 | Command and Scripting Interpreter |
Execution | T1129 | Shared Modules |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1218 | System Binary Proxy Execution |
Defense Evasion | T1218.011 | Rundll32 |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Discovery | T1057 | Process Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Command and Control | T1071 | Application Layer Protocol |
STATELY TAURUS
A sophisticated cyber espionage campaign was detected by the end of Q3 2024 targeting government entities in Southeast Asia, attributed to the Chinese APT group known as Stately Taurus (also referred to as Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta, and Earth Preta). The attackers leveraged a reverse shell feature in Visual Studio Code, previously discovered in 2023, to gain unauthorized network access. This technique, observed in the wild for the first time, enabled the attackers to execute arbitrary code, deploy malicious payloads, and exfiltrate sensitive information.
The attackers utilized both portable and installed versions of Visual Studio Code, leveraging the command `code.exe tunnel`, which redirects to a web environment after logging into GitHub. This provided access to compromised systems for malicious activities. Stately Taurus deployed malware and established persistence through a scheduled task running a script named `startcode.bat`, ensuring ongoing access.
Alongside this activity, evidence of a second attack cluster involving the ShadowPad backdoor was detected. The attackers used ShadowPad, a modular backdoor often deployed via DLL sideloading, which was active on the same machines targeted by Stately Taurus. This overlap in activity suggests a possible connection between the two clusters, although it remains unclear whether both operations were conducted by the same group or two collaborating threat actors.
The campaign also saw the use of tools like SharpNBTScan for reconnaissance, OpenSSH for lateral movement, and various data exfiltration methods, including archiving files using RAR and uploading them to legitimate platforms like Dropbox to avoid detection. The campaign’s persistence mechanisms, along with its use of novel tools and techniques, highlight the threat posed to governmental institutions in Southeast Asia.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | Technique ID | Techniques |
Execution | T1129 | Shared Modules |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Defense Evasion | T1218 | System Binary Proxy Execution |
Defense Evasion | T1218.011 | Rundll32 |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Credential Access | T1056 | Input Capture |
Discovery | T1082 | System Information Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Collection | T1056 | Input Capture |
Command and Control | T1071 | Application Layer Protocol |
Earth Preta has refined its malware toolkit to enhance data exfiltration and payload deployment capabilities. The group has been observed using PUBLOAD malware, which has been linked to cyberattacks in the Asia-Pacific region. PUBLOAD is a downloader that facilitates reconnaissance and file harvesting from infected networks, targeting various file types like .doc, .xls, and .pdf. It also introduces additional tools like FDMTP, a simple downloader, and PTSOCKET, an exfiltration tool capable of transferring files in multi-thread mode.
The malware spreads via removable drives using a worm variant, allowing it to propagate within targeted environments. Recent campaigns were identified, distributing phishing emails with malicious attachments. When activated, these attachments deliver a signed downloader called DOWNBAIT, which retrieves the PULLBAIT shellcode. This shellcode, in turn, downloads and runs a backdoor known as CBROVER, enabling file downloads, remote shell execution, and the deployment of the PlugX RAT. PlugX facilitates the execution of further malicious tools, including FILESAC, designed to gather targeted files.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Initial Access | T1091 | Replication Through Removable Media |
Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
Defense Evasion | T1480.001 | Execution Guardrails: Environmental Keying |
Defense Evasion | T1553.002 | Subvert Trust Controls: Code Signing |
Defense Evasion | T1055 | Process Injection |
Discovery | T1082 | System Information Discovery |
Discovery | T1518.001 | Software Discovery: Security Software Discovery |
Discovery | T1049 | System Network Connections Discovery |
Discovery | T1016 | System Network Configuration Discovery |
Collection | T1005 | Data from Local System |
Collection | T1560.001 | Archive Collected Data: Archive via Utility |
Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
FLAX TYPHOON (AKA ETHEREAL PANDA OR REDJULIETT)
Researchers uncovered a new botnet, believed to be operated by a Chinese nation-state threat actor known as Flax Typhoon, which has targeted small office/home office (SOHO) and IoT devices since at least May 2020. Dubbed Raptor Train, the botnet peaked at 60,000 active compromised devices in June 2023 and has conscripted over 200,000 devices, including routers and IP cameras.
The botnet’s architecture is three-tiered: Tier 1 consists of compromised devices, Tier 2 includes exploitation and command-and-control servers, and Tier 3 encompasses centralized management nodes, using a tool called Sparrow. Infected nodes often have a lifespan of around 17 days, demonstrating the threat actor’s ability to reinfect devices.
Four distinct campaigns have been observed, each associated with different command-and-control domains. Notably, the latest campaign has achieved significant prominence in internet rankings, enhancing its stealth. Despite not conducting detectable DDoS attacks, the botnet has targeted critical sectors in the U.S. and Taiwan, indicating capabilities for reconnaissance and exploitation.
Recent operations revealed a robust infrastructure supporting extensive exploitation efforts, making Raptor Train a significant concern for cybersecurity.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Initial Access | T1190 | Exploit Public-Facing Application |
Execution | T1059 | Command and Scripting Interpreter |
Privilege Escalation | T1190 | Exploit Public-Facing Application |
Defense Evasion | T1027 | Obfuscated Files or Information |
Discovery | T1046 | Network Service Discovery |
Lateral Movement | T1021 | Remote Services |
Collection | T1119 | Automated Collection |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1573 | Encrypted Channel |
Impact | T1490 | Inhibit System Recovery |
APT17
Two targeted cyber-attacks against Italian companies and government entities were observed on June 24 and July 2, 2024. These attacks are attributed to APT17, a Chinese-speaking threat group, also known as “DeputyDog.” The attackers used a diskless variant of the RAT 9002 malware, closely associated with APT17’s previous operations.
The first campaign on June 24 involved a malicious Office document, while the second, on July 2, used a phishing link. Both campaigns aimed to trick victims into installing a Skype for Business package from a URL resembling an Italian government domain, ultimately delivering a variant of RAT 9002.
RAT 9002, a highly modular and actively developed Trojan, was executed through a malicious MSI file. This file contained an original Skype for Business installer alongside malicious Java components, which decrypted and executed the shellcode responsible for loading RAT 9002. The Trojan provides extensive capabilities such as network traffic monitoring, file management, process execution, and system reconnaissance.
The malware connects to its command and control (C&C) server via encrypted channels, using domains mimicking legitimate services. This ongoing activity highlights APT17’s persistent focus on espionage against strategic targets, utilizing evolving malware variants for sophisticated attacks.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1059 | Command and Scripting Interpreter |
Execution | T1106 | Native API |
Execution | T1129 | Shared Modules |
Execution | T1203 | Exploitation for Client Execution |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Persistence | T1574.010 | Services File Permissions Weakness |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574.010 | Services File Permissions Weakness |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1027.002 | Software Packing |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1070 | Indicator Removal |
Defense Evasion | T1070.004 | File Deletion |
Defense Evasion | T1070.006 | Timestomp |
Defense Evasion | T1112 | Modify Registry |
Defense Evasion | T1202 | Indirect Command Execution |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1562 | Impair Defenses |
Defense Evasion | T1562.001 | Disable or Modify Tools |
Defense Evasion | T1564 | Hide Artifacts |
Defense Evasion | T1564.003 | Hidden Window |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Defense Evasion | T1574.010 | Services File Permissions Weakness |
Credential Access | T1056 | Input Capture |
Credential Access | T1539 | Steal Web Session Cookie |
Discovery | T1010 | Application Window Discovery |
Discovery | T1012 | Query Registry |
Discovery | T1018 | Remote System Discovery |
Discovery | T1057 | Process Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1120 | Peripheral Device Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Discovery | T1518 | Software Discovery |
Discovery | T1518.001 | Security Software Discovery |
Lateral Movement | T1091 | Replication Through Removable Media |
Collection | T1056 | Input Capture |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1095 | Non-Application Layer Protocol |
Command and Control | T1573 | Encrypted Channel |
Impact | T1485 | Data Destruction |
NORTH KOREAN APT ACTIVITIES
Targeted Country
- United States
- Europe
- South Korea Russia
- Japan
Targeted Technology
- Software
- Windows
- Linux
- Web Applications
- Google services
Targeted Industries
- Energy Aerospace
- Education
- Government
KIMSUKY
By Q3 2024, the Konni threat campaign, linked to the Kimsuky group, has escalated its attacks on Korean and Russian government entities, leveraging cloud and FTP services to complicate detection and analysis. Active since 2014, the campaign primarily employs spear phishing tactics, distributing malicious document-based files to target experts in North Korean affairs and individuals involved in virtual asset transactions. The group’s infection chain is sophisticated, focusing on evading antivirus detection during initial infiltration.
Recent attacks reveal the abuse of free hosting platforms for command and control (C2) servers, with infrastructure continuity across incidents. Notably, the campaign has used financial and governmental themes to facilitate cyber espionage and data theft. Malicious files, including AsyncRAT variants, employ obfuscation techniques, such as future-dated timestamps and XOR-based encryption, to bypass detection. The ongoing focus on Korean virtual asset exchanges reflects the evolving threat landscape.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | Technique ID | Techniques |
Execution | T1106 | Native API |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1027.002 | Software Packing |
Defense Evasion | T1070 | Indicator Removal |
Defense Evasion | T1070.006 | Timestomp |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1562 | Impair Defenses |
Defense Evasion | T1562.001 | Disable or Modify Tools |
Defense Evasion | T1620 | Reflective Code Loading |
Discovery | T1010 | Application Window Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Discovery | T1518 | Software Discovery |
Discovery | T1518.001 | Security Software Discovery |
Collection | T1560 | Archive Collected Data |
Collection | T1560.002 | Archive via Library |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1571 | Non-Standard Port |
Additionally, in recent campaigns observed in the same period, Kimsuky exploited misconfigured DMARC policies and staged phishing attacks to gain access to university networks. The group’s phishing tactics involved setting up malicious login pages for institutions like Dongduk, Korea, and Yonsei Universities, closely imitating legitimate ones to steal credentials. Additionally, Kimsuky used a modified webshell, “Green Dinosaur,” to deploy phishing toolkits and manage their infrastructure. The stolen credentials facilitated deeper penetration into target environments for espionage. They also targeted Naver accounts using a toolkit similar to Evilginx. Kimsuky’s custom PHPMailer implementation, “SendMail,” distributed phishing emails using compromised accounts. These campaigns highlight Kimsuky’s continued evolution in refining their academic and strategic intelligence collection techniques, aligning with North Korean state objectives to obtain sensitive information, including scientific and technological research, for economic and military advantage.
The evolving cyber espionage landscape in Q3 2024 reveals the continuous evolution and sophistication of the North Korean APT group Sparkling Pisces (Kimsuky). Recent findings uncovered two undocumented malware samples: KLogEXE, a keylogger, and FPSpy, a variant of a backdoor used by the Sparkling Pisces. KLogEXE operates similarly to a previously documented PowerShell keylogger, collecting running applications, keystrokes, and mouse clicks while exfiltrating data via HTTP. The collected information is saved in a .ini file and transmitted to a command and control (C2) server.
FPSpy, suspected to be linked to earlier campaigns targeting South Korean users, exhibits enhanced capabilities, such as arbitrary command execution and data collection. It uses a custom loader to deploy a DLL (sys.dll) and store system information, configuration data, and logs. Notably, both malware samples share a codebase, utilizing similar techniques for dynamic API calls and data exfiltration.
The infrastructure of Sparkling Pisces demonstrates overlaps between different malware strains, indicating an adaptable and persistent threat landscape. Most observed targets were based in South Korea and Japan, aligning with previous targeting patterns. Understanding these techniques and their connections equips organizations to better defend against the evolving threats posed by state-sponsored cyber actors.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1129 | Shared Modules |
Privilege Escalation | T1055 | Process Injection |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1055 | Process Injection |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Credential Access | T1056 | Input Capture |
Discovery | T1010 | Application Window Discovery |
Discovery | T1033 | System Owner/User Discovery |
Discovery | T1057 | Process Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1083 | File and Directory Discovery |
Discovery | T1087 | Account Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Collection | T1056 | Input Capture |
Command and Control | T1071 | Application Layer Protocol |
UNC2970
A North Korea-linked cyber-espionage group, UNC2970, is targeting victims in the energy and aerospace sectors using job-themed phishing lures to deliver a newly discovered backdoor named MISTPEN. The group, associated with Lazarus, aims to gather strategic intelligence, particularly targeting senior-level employees with spear-phishing tactics.
The attack, dubbed Operation Dream Job, involves contacting victims via email and WhatsApp under the guise of recruiters offering high-level job positions. Victims are lured into downloading a ZIP archive containing a trojanized PDF viewer, specifically an older version of Sumatra PDF, which triggers the infection chain. A launcher called BURNBOOK executes a malicious DLL file, TEARPAGE, which loads the MISTPEN backdoor.
MISTPEN, a lightweight C-based implant, can download and execute additional malware from a command-and-control (C2) server via HTTP. It also communicates through Microsoft Graph URLs. Over time, the attackers have refined the malware, adding new features and network checks to evade detection. Previous samples of MISTPEN used compromised WordPress sites as C2 domains, showcasing the evolving nature of the group’s tactics. The campaign reflects the group’s growing sophistication in leveraging legitimate software to conceal their espionage activities.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Initial Access | T1566.001 | Phishing: Spear-phishing Attachment |
Execution | T1204.002 | User Execution: Malicious File |
Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
Defense Evasion | T1574 | Hijack Execution Flow |
Discovery | T1082 | System Information Discovery |
Command and Control | T1071 | Application Layer Protocol |
UAT-5394
A new remote access trojan (RAT) named MoonPeak has been linked to a North Korean threat actor, identified as UAT-5394, which exhibits tactical similarities to the Kimsuky group. MoonPeak is a variant of the open-source Xeno RAT, previously utilized in phishing campaigns to retrieve payloads from cloud storage services. Key features of Xeno RAT include the ability to load plugins, manage processes, and communicate with command-and-control (C2) servers.
The campaign is marked by a significant shift towards utilizing newly established infrastructure, including dedicated C2 servers and payload-hosting sites, moving away from reliance on legitimate cloud providers. This allows for greater control over malware distribution and data collection. The threat actor has been observed accessing these servers to update payloads and retrieve logs from infections.
The constant evolution of MoonPeak is paired with enhanced obfuscation techniques designed to hinder analysis and secure communication. Specific malware variants are tightly coupled with corresponding C2 server versions, indicating a strategic approach to operational security. Overall, this rapid adaptation and infrastructure development suggest a focused effort to expand and refine the campaign’s capabilities.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Execution | T1106 | Native API |
Persistence | T1574 | Hijack Execution Flow |
Persistence | T1574.002 | DLL Side-Loading |
Privilege Escalation | T1574 | Hijack Execution Flow |
Privilege Escalation | T1574.002 | DLL Side-Loading |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1027.002 | Software Packing |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Defense Evasion | T1562 | Impair Defenses |
Defense Evasion | T1562.001 | Disable or Modify Tools |
Defense Evasion | T1574 | Hijack Execution Flow |
Defense Evasion | T1574.002 | DLL Side-Loading |
Defense Evasion | T1620 | Reflective Code Loading |
Credential Access | T1056 | Input Capture |
Discovery | T1010 | Application Window Discovery |
Discovery | T1033 | System Owner/User Discovery |
Discovery | T1082 | System Information Discovery |
Discovery | T1087 | Account Discovery |
Discovery | T1124 | System Time Discovery |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Discovery | T1518 | Software Discovery |
Discovery | T1518.001 | Security Software Discovery |
Collection | T1056 | Input Capture |
Collection | T1560 | Archive Collected Data |
Collection | T1560.002 | Archive via Library |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1571 | Non-Standard Port |
LAZARUS APT
A recent zero-day vulnerability tracked as CVE-2024-38193 (CVSS 7.8), was exploited by the Lazarus APT group, linked to North Korea. The flaw, residing in the Windows Ancillary Function Driver (AFD.sys) for WinSock, allows attackers to escalate privileges to gain SYSTEM access. It was patched in August 2024 as part of Microsoft’s security updates. The vulnerability has been weaponized using a malware module called Fudmodule, which evades detection, allowing attackers to gain access to sensitive system areas.
Lazarus utilized this exploit primarily to target individuals in sectors like cryptocurrency engineering and aerospace, aiming to compromise organizations and steal funds. The attackers also leveraged a different vulnerability in February 2024, tracked as CVE-2024-21338, found in the AppLocker driver (appid.sys), allowing them to disable security software through kernel object manipulation.
By exposing these admin-to-kernel zero-day exploits, the group’s ability to bypass security has been significantly weakened. This leaves Lazarus with the challenge of either discovering a new zero-day vulnerability or reverting to older, noisier attack methods such as BYOVD (Bring Your Own Vulnerable Driver) tactics to bypass security.
Researchers also observed that in the same period, Citrine Sleet exploited the recently patched Chrome zero-day CVE-2024-7971, a high-severity vulnerability (CVSS score 8.8). This exploit targets versions of Chromium prior to 128.0.6613.84, allowing attackers to execute remote code within the Chromium renderer process. Citrine Sleet utilized an exploit domain, voyagorclub[.]space, likely employing social engineering tactics to lure targets. Upon connecting, the exploit delivered the FudModule rootkit. Following code execution, the attackers leveraged CVE-2024-38106, a Windows kernel vulnerability, for sandbox escape, enabling further payload deployment in memory. The FudModule rootkit, known for its direct kernel object manipulation (DKOM) techniques, operates entirely from user mode, accessing kernel security mechanisms through read/write primitives. Despite this, no additional malicious actions were observed post-compromise. Analysts suggest the exploitation of CVE-2024-38106 might indicate a “bug collision” or shared knowledge among threat actors. The report underscores the importance of timely patching and using unified security solutions to detect malicious post-exploit activities.
Additionally, a sophisticated supply chain attack campaign has been observed, attributed to the Gleaming Pisces aka Lazarus Group threat actor, a North Korean group known for targeting cryptocurrency and financial platforms. This campaign leverages poisoned Python packages uploaded to the PyPI repository, designed to infiltrate both Linux and macOS systems by delivering backdoor malware.
The attackers’ strategy involves embedding malicious payloads within seemingly legitimate Python packages, named PondRAT, that execute upon installation. Once activated, the malware decodes and executes encoded scripts, leading to the installation of a Linux RAT that allows remote control of infected systems. This mirrors past tactics used by Gleaming Pisces, particularly the deployment of POOLRAT, a known macOS remote administration tool (RAT) tied to the same threat actor. PondRAT appears to be a lighter variant of POOLRAT but retains crucial functionality, such as file transfer, command execution, and system status checks.
Key technical analysis revealed overlapping code structures, function names, and shared encryption keys between PondRAT and POOLRAT, linking this campaign directly to Gleaming Pisces. The attackers deployed several infected Python packages, including real-ids, coloredtxt, and minisound, which were able to bypass traditional detection mechanisms by mimicking legitimate open-source packages.
The use of cross-platform backdoors, targeting both Linux and macOS environments, indicates a significant expansion of Gleaming Pisces’ attack capabilities. Their use of supply chain attacks via trusted repositories like PyPI shows a clear intent to exploit developer ecosystems and spread malware through a broader network of supply chain vendors and their customers.
This campaign demonstrates Gleaming Pisces’ evolving tactics and focus on infiltrating critical industries, posing severe risks to organizations relying on compromised open-source tools for software development.
MITRE ATT&CK Tactics and Techniques | ||
Tactic | ID | Techniques |
Persistence | T1543 | Create or Modify System Process |
Persistence | T1543.002 | Systemd Service |
Privilege Escalation | T1543 | Create or Modify System Process |
Privilege Escalation | T1543.002 | Systemd Service |
Defense Evasion | T1036 | Masquerading |
Defense Evasion | T1564 | Hide Artifacts |
Defense Evasion | T1564.001 | Hidden Files and Directories |
Discovery | T1518 | Software Discovery |
Discovery | T1518.001 | Security Software Discovery |
Command and Control | T1071 | Application Layer Protocol |
Command and Control | T1095 | Non-Application Layer Protocol |
Command and Control | T1105 | Ingress Tool Transfer |
Command and Control | T1573 | Encrypted Channel |
CONCLUSION
In Q3 2024, the APT landscape showcased intensified efforts by Iranian, Russian, Chinese, and North Korean cyber actors. These groups have demonstrated increasing sophistication in targeting critical industries through diverse techniques, such as spear-phishing, zero-day exploits, and malware deployment. The escalation of these tactics highlights the need for organizations to implement robust defenses, prioritize timely patching, and stay vigilant against social engineering attacks to protect against evolving threats.
Source: Original Post