In summary:
- The report covers the first quarter of 2024 and shows that a North Korean hacker group called Kimsuky or SharpTongue has been using the Golang-based backdoor Durian in a supply-chain attack in South Korea.
- While the Middle East has seen increasing APT campaigns, including from groups such as Gelsemium and Careto; hacktivism has also prevailed amid the Palestine and Israel conflict.
- The report also highlights threat actors’ continued use of social engineering and the ongoing expansion of APT campaigns to new sectors and geographic regions.
Cyber Espionage, Hacktivism and APTs
The first quarter of 2024 has witnessed a surge in sophisticated cyberattacks, with nation-state actors and hacktivists expanding their targets and refining their techniques. Kaspersky’s Global Research and Analysis Team (GReAT) has released its quarterly APT activity summary, revealing complex and increasing cybersecurity threats.
Ghosts of the Past, New Tricks in the Present:
The infamous Careto (The Mask in English) APT group, silent since 2013, has reemerged targeting high-profile organizations with advanced tools like “FakeHMP,” “Careto2,” and “Goreto.” Their innovative tactics include leveraging legitimate software like MDaemon email servers and HitmanPro Alert driver for stealthy persistence.
Meanwhile, Gelsemium, known for server-side exploits and webshells, continues to deploy stealthy implants like “SessionManager” and “OwlProxy.” Recent campaigns disguised payloads as font files, targeting Palestinian, Tajikistan, and Kyrgyzstan entities.
Beasts in the Middle East
The Middle East has become a hub of APT activity. A newly discovered campaign dubbed “DuneQuixote” targeted government entities using tampered installers for the legitimate “Total Commander” software. These “droppers” delivered the “CR4T” backdoor, showcasing the group’s sophisticated evasion techniques.
Iran-backed Oilrig APT, previously observed targeting IT service providers, has shifted focus to an internet service provider in the Middle East. The group deployed the .NET-based “SKYCOOK” implant for remote command execution and data theft, along with an autohotkey-based keylogger.
Southeast Asia and the Korean Peninsula
DroppingElephant, an Indian-speaking threat actor (also known as “Patchwork“ or “Chinastrats”) continues to target South Asian entities, utilizing the DISCORD CDN network to deliver the Spyder backdoor and Remcos RAT through malicious .DOC and .LNK files.
North Korean state-sponsored group Kimsuky or SharpTongue has deployed a new Golang-based backdoor dubbed “Durian” through a supply-chain attack targeting South Korean cryptocurrency companies.
Notably, the group leveraged legitimate software exclusive to South Korea for the initial infection vector. Durian’s capabilities include command execution, file download, and exfiltration.
Interestingly, Kimsuky’s use of the “LazyLoad” proxy tool hints at a possible connection or collaboration with the Andariel group (also known as the “Guardians of Peace” APT which was behind the infamous HBO data breach), adding another layer of complexity to the region’s cybersecurity.
Hacktivism on the Rise:
The Israel-Hamas conflict has fueled a wave of hacktivist activity, with groups like SiegedSec launching disruptive attacks and leaking sensitive information. SiegedSec, known for its social justice agenda, has targeted companies, and government infrastructure, and even collaborated with other cybercriminal groups.
Hackread.com reported on some of SiegedSec’s cyber attacks, including the data breach of the Stalkerware app TheTruthSpy, the NATO breach, and the PII data leak of INL (Idaho National Laboratory) employees.
Expanding Targets and Cross-Platform Development:
The Spyrtacus malware, previously targeting individuals in Italy via Android devices, has now evolved to include a Windows variant. Evidence suggests the group may be expanding its operations to other countries in Europe, Africa, and the Middle East, highlighting the growing trend of cross-platform malware development.
Stay Protected!
The first quarter of 2024 shows the dangers of cybersecurity can not be underestimated. While social engineering remains a dominant tactic, APT groups are constantly innovating and expanding their reach.
Organizations and individuals must remain alert, understand their specific threat profiles, and implement proper security measures to mitigate their risks. Another area to focus on is the need for cybersecurity training for employees, especially since many reported cyberattacks occurred through simple phishing scams.
