Chinese APT CactusPete targets military and financial orgs in Eastern Europe

China-linked threat actor tracked as CactusPete was employing an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

A China-linked APT group, tracked by Kaspersky as CactusPete (aka Karma Panda or Tonto Team), was observed using an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

The CactusPete cyber-espionage group has been active since at least 2013, it has been mainly focused on military, diplomatic, and infrastructure targets in Asia and Eastern Europe.

Experts pointed out that despite the lack of sophistication, the group carried out successful attacks.

Since the end of February 2020, the group has been observed employing a new variant of its Bisonal backdoor to target organizations in the military and financial sectors in Eastern Europe. While analyzing the samples of the malware, experts discovered that threat actors released more than 20 samples per month and used over 300 identical samples between March 2019 and April 2020.

“Our research started from only one sample, but by using the Kaspersky Threat Attribution Engine (KTAE) we found 300+ almost identical samples. All of them appeared between March 2019 and April 2020. This underlines the speed of CactusPete’s development – more than 20 samples per month. ” reads the analysis published by Kaspersky.

The initial attack vector employed in the last campaign has yet to be discovered, but experts reported that in the past the group used spear-phishing messages with weaponized attachments for its operations. The attachments never included zero-day exploits, but they do include recently discovered and patched flaws.

Upon execution, the malware used by the CactusPete first connects to the attackers’ server, then sends information on the victim network, including hostname, IP and MAC address; OS version; infected host time; proxy usage flags, information on whether it was executed in a VMware environment; and system default CodePage Identifier.

Once compromised the target system, the Bisonal backdoor supports multiple features, such as executing a remote shell, silently run programs, retrieve the process list, terminate processes, upload/download/erase files, list available drives, and retrieve a list of files in a specified folder.

The capabilities allow threat actors to make lateral movement and deeper access to the target organization

The CactusPete hackers also use custom Mimikatz iterations and keyloggers to steal credentials and attempt to escalate privileges.

“Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed,” Kaspersky continues.

The analysis of other operations carried out by the group over the time revealed that the hackers employed other malware, including the DoubleT backdoor, CALMTHORNE, Curious Korlia, and DOUBLEPIPE.

Experts noticed that the group, which is not considered sophisticated, also uses more complex code, such as ShadowPad, which suggests that other threat actors are supporting his operations.

“We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution,” Kaspersky concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CatusPete)

[adrotate banner=”5″]

[adrotate banner=”13″]