Advanced Persistent Threats (APT), targeted and stealth attacks by hackers, which include State actors, have seen a surge in the third quarter in this calendar year. Worse still, the breadth of attacks has widened as the hackers seem to have diversified their tool kits.
The diversification makes it difficult for security experts to ascertain whether it’s a revamped tool from the same APT or a new threat altogether who used the existing tools to launch a fresh attack.
Cyber security experts have noticed an increase in the usage and number of new and previously unknown malicious toolsets in the quarter.
Advanced Persistent Threats
The Advanced Persistent Threats (APT) are defined as targeted attacks on computer networks. After gaining unauthorised access to a network, the hacker lets the malware remain for long periods undetected.
“This is a sign of a consistent trend of the threat actor exodus into deeper waters, to evade detection,” a quarterly report by Internet security solutions company Kaspersky noted.
“Like we predicted last year, threat actors refresh their toolsets and go into deep waters to evade detection,” Vicente Diaz, security researcher at Global Research and Analysis Team of Kaspersky, has said.
Tunnus activity
The report finds that Turla, which is also referred to as Venomous Bear, Uroburos and Waterbug, has got a makeover to its tools. It attributes a new backdoor named Tunnus. A .NET-based back door with the ability to run commands or perform file actions on an infected system, Tunnussend the results to its command-and-control servers located elsewhere. It says Tunnus activity had started in March and remained active ever since.
The group is using Topinambour, a new .NET file, to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs (virtual private networks).
Turla has also wrapped its JavaScript KopiLuwak malware in a new dropper called “.” It made some changes to the tool to help Turla dodge any detection.
“The two KopiLuwak analogues – the .NET “RocketMan” Trojan and the PowerShell “MiamiBeach Trojan” – are used for cyber-espionage. It is possible that a threat actor deploys these versions when their targets are protected with security software that is able to detect KopiLuwak,” the report said.
All three implants are able to focus on specific targets, gather information on system and network adapters, steal files, and download and execute additional malware.
Why, some of the nation states too are under attack. For one, HoneyMyte (or Temp.Hex and Mustang Panda), targets government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh.
The key objective of HoneyMyte could be, to gather geo-political and economic intelligence in from the government agencies.