APT Groups Finding Success with Mix of Old and New Tools

malware download pastebin

The APT threat landscape is a mixed bag of tried-and-true tactics and cutting-edge techniques, largely supercharged by geo-politics, a report finds.

Advanced persistent threat (APT) groups continue to use the fog of intense geopolitics to supercharge their campaigns, but beyond these themes, actors are developing individual signature tactics for success.

That’s according to Kaspersky’s most recent APT trends report for Q3 2020, which found that some groups are innovating and pushing technical boundaries, while others take a more low-tech approach, honing messaging around COVID, the elections and other headlines.

“While some threat actors remain consistent over time and simply look to use hot topics such as COVID-19 to entice victims to download malicious attachments, other groups reinvent themselves and their toolsets,” said Ariel Jungheit, senior security researcher at the Global Research and Analysis Team at Kaspersky. “The widening scope of platforms attacked, continuous work on new infection chains and the use of legitimate services as part of their attack infrastructure, is something we have witnessed over the past quarter.”

These divergent approaches were best represented by two groups in particular, according to the report; DeathStalker and MosaicRegressor.


DeathStalker, the report said, has been successful using the same tactics since 2018 to target law firms and companies in the financial sector.

“The group’s interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services or acting as an information broker in financial circles,” according to the report. “The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing.”

But while this approach is focused more on messaging around headlines for phishing emails, the report added that a couple of technical developments to DeathStalker’s campaigns are worth nothing.

“For instance, the malware directly connects to a command-and-control (C2) server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead-drop resolvers (DDRs) or web services, such as forums and code-sharing platforms, to fetch the real C2 IP address or domain,” the report explained. “Interestingly, for this campaign the attackers didn’t limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise.”

Researchers added this was the first time they observed a malicious actor both using advanced techniques to bypass security, as well as “dropping PE binaries to load EvilNum.”

The Kaspersky team also noted they suspect DeathStalker is using a novel PowerShell implant they named “PowerPepper.”

“The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel,” the report said.

DeathStalker represents a relatively basic, low-tech set of techniques, tactics and procedures (TTPs) — while MosaicRegressor’s UEFI implant occupies the higher-tech end of the APT spectrum.


In early October Kasperky researchers reported the discovery of “rogue UEFI firmware images,” modified to deliver malware, which the team dubbed “MosaicRegressor” as part of a wider framework. Components of the MosaicRegressor framework was part of attacks launched against diplomats and African, Asian and European Non-Government Organizations and traced back to North Korea.

UEFI is a specification that constitutes the structure and operation of low-level platform firmware, including the loading of the operating system itself. It can also be used when the OS is already up and running, for example in order to update the firmware. The UEFI firmware bootkit that’s part of MosaicRegressor loads the operating system itself, meaning a threat actor can modify the system to load malware that will run after the OS is loaded. Thus, it will be resistant to reinstalling the operating system or even replacing the hard drive, researchers said.

The report added that APT attacks have spiked in recent weeks in Southeast Asia, the Middle East and “various regions affected by the activities of Chinese-speaking APT groups.”

“Overall, what this means for cybersecurity specialists is this: defenders need to invest resources in hunting malicious activity in new, possibly legitimate environments that were scrutinized less in the past,” Jungheit concluded. “That includes malware that is written in lesser-known programming languages, as well as through legitimate cloud services. Tracking actors’ activities and TTPs allows us to follow as they adapt new techniques and tools, and thereby prepare ourselves to react to new attacks in time.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.








Suggested articles