Cybersecurity researchers are warning against a new targeted cyber attack campaign that is targeting military and financial organisations.

Researchers at cybersecurity firm Kaspersky were able to link over 300 samples of a backdoor called ‘Bisonal’ to a targeted campaign by an advanced persistent threat actor (APT) group called CactusPete. This threat actor is a cyber espionage group also known as Karma Panda or Tonto Teaь has been active since at least 2012, Kaspersky said.

“This latest campaign has focused on military and financial targets in Eastern Europe and highlights the group’s rapid development,” it said.

“This time they’ve upgraded their backdoor to target representatives from the military and financial sectors in Eastern Europe — most likely to gain access to confidential information. In addition, the speed at which the new malware samples are created suggest the group is rapidly developing,” it added.

Kaspersky researchers spotted the group’s most recent activity in February this year when they spotted an updated version of the group’s Bisonal backdoor.

Backdoor is a vulnerability or a fault in a computer system that can allow unauthorized access to data.

“The functionality of the malicious payload suggests the group is after highly sensitive information. Once installed on the victim’s device, the Bisonal backdoor used allows the group to silently start various programs, terminate any processes, upload/download/delete files, and retrieve a list of available drives. In addition, as the operators move deeper into the infected system, they deploy keyloggers to harvest credentials and download privilege escalation malware to gradually gain more and more control over the system,” explained Kaspersky.

Researchers linked these attack to CactusPete and found 300 similar samples of the Bisonal backdoor using its tool Kaspersky Threat Attribution Engine. The tool analyses malicious code for similarities with that de-ployed by known threat actors to determine the group behind an attack.

All 300 samples appeared between March 2019 and April 2020.

They are yet to discover how exactly is the backdoor downloaded into the system initially in this latest campaign.

“In the past, CactusPete has primarily relied on spear-phishing with emails that contain malicious attachments. If the attachment is opened, then the device becomes infected,” the report said.

“CactusPete is a rather interesting APT group because it’s actually not that advanced—the Bisonal backdoor included,” said Konstantin Zykov, a senior security researcher at Kaspersky.

“Their success comes not from sophisticated technology or complex distribution and obfuscation tactics, but from a successful application of social engineering tactics. They are able to succeed in infecting high-level targets because their victims click on the phishing emails and open the malicious attachments. This is a great example of why phishing continues to be such an effective method for launching cyber attacks — and why it’s so important for companies to provide their employees with training on how to spot such emails and stay up-to-date on the latest threat intelligence so that they can spot an advanced actor” he added.

comment COMMENT NOW