Advanced persistent threat (APT) groups are diversifying their activities, getting creative with old and new techniques in Q3 of 2020, according to a report by cybersecurity firm Kaspersky.

“The activity of advanced persistent threat (APT) groups in the third quarter of 2020 indicated a curious trend: while many threat actors advance and continue to diversify their toolsets, at times resorting to extremely tailored and persistent tools, others successfully reach their goals through the employment of well-known, time-tested attack methods,” the report said.

Kaspersky researchers have observed a split trend in Q3. One of the most notable campaigns of the quarter was carried out by an unknown actor, who infected a user’s device using a custom bootkit for an essential hardware component of a computer device called UEFI.

This infection vector was part of a multi-stage framework dubbed MosaicRegressor. The malware infecting the device became more persistent and hard to remove as it was planted through the hardware component.

“On top of that, the payload downloaded by the malware to each victim’s device could be different – this flexible approach enabled the actor to hide its payload from unwanted witnesses,” the report said.

Various attacks

Some bad actors leveraged steganography through a new method abusing the Authenticode-signed Windows Defender binary. It is “an integral and approved program for the Windows Defender security solution.”

The attackers used steganography to hide the primary payload in the Defender keeping it executable without rendering its digital signature invalid and making it harder to detect.

Other threat actors also updated their existing toolsets to make it harder to detect and more effective. Many updated multi-stage frameworks and malware such as a remote access tool called Dtrack RAT (remote access tool) continued to appear in the wild.

However, some threat actors still relying on low-tech infection chains which have been successful in the past.

One such group cited by Kaspersky researchers is a mercenary group named DeathStalker.

“This APT mainly focuses on law firms and companies operating in the financial sector, gathering sensitive and valuable information from the victims. Using techniques that have been mostly identical since 2018, a focus on evading detection has enabled DeathStalker to continue carrying out a number of successful attacks,” the report said.

“While some threat actors remain consistent over time and simply look to use hot topics such as COVID-19 to entice victims to download malicious attachments, other groups reinvent themselves and their toolsets,” said Ariel Jungheit, Senior Security Researcher, Global Research and Analysis Team, Kaspersky.

“The widening scope of platforms attacked, continuous work on new infection chains and the use of legitimate services as part of their attack infrastructure is something we have witnessed over the past quarter,” Jungheit said.

“Overall, what this means for cybersecurity specialists is this: defenders need to invest resources in hunting malicious activity in new, possibly legitimate environments that were scrutinized less in the past. That includes malware that is written in lesser-known programming languages, as well as through legitimate cloud services,” Jungheit added.