Using Kaspersky Threat Attribution Engine, Kaspersky researchers were able to link more than 300 samples of a backdoor called Bisonal to a campaign by the advanced persistent threat actor (APT) CactusPete – a cyberespionage group active since at least 2012. This latest campaign has focused on military and financial targets in Eastern Europe and highlights the group’s rapid development.
CactusPete, also known as Karma Panda or Tonto Team, is a cyber-espionage group that has been active since at least 2012. This time they’ve upgraded their backdoor to target representatives from the military and financial sectors in Eastern Europe—most likely to gain access to confidential information. In addition, the speed at which the new malware samples are created suggest the group is rapidly developing. Such organizations in this area should be on alert.
This most recent wave of activity was first noticed by Kaspersky researchers in February 2020 when they spotted an updated version of the group’s Bisonal backdoor. Using Kaspersky Threat Attribution Engine—a tool for analyzing malicious code for similarities with that deployed by known threat actors to determine the group behind an attack—they linked this one sample with more than 300 others in the wild.
All 300 samples appeared between March 2019 and April 2020—about 20 samples per month—which underscores the fact that CactusPete is developing rapidly. Indeed, the group has continued to refine its capabilities, gaining access to more sophisticated code like ShadowPad in 2020.
The functionality of the malicious payload suggests the group is after highly sensitive information. Once installed on the victim’s device, the Bisonal backdoor used allows the group to silently start various pro-grams, terminate any processes, upload/download/delete files, and retrieve a list of available drives. In addition, as the operators move deeper into the infected system, they deploy keyloggers to harvest credentials and download privilege escalation malware to gradually gain more and more control over the system.
It’s unclear how the backdoor is initially downloaded in this latest campaign. In the past, CactusPete has primarily relied on spear-phishing with emails that contain malicious attachments. If the attachment is opened, then the device becomes infected.
“CactusPete is a rather interesting APT group because it’s actually not that advanced—the Bisonal backdoor included. Their success comes not from sophisticated technology or complex distribution and obfuscation tactics, but from a successful application of social engineering tactics. They are able to succeed in infecting high-level targets because their victims click on the phishing emails and open the malicious attachments. This is a great example of why phishing continues to be such an effective method for launching cyber-attacks—and why it’s so important for companies to provide their employees with training on how to spot such emails and stay up-to-date on the latest threat intelligence so that they can spot an advanced actor” comments Konstantin Zykov, senior security researcher at Kaspersky.
Learn more about CactusPete’s latest activity on Securelist.
To protect your institutions from CactusPete and other APTs, Kaspersky experts recommend:
• Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
• Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.
• To quickly link new malicious samples with known attack actors, implement Kaspersky Threat Attribution Engine.