APT

Chinese APT CactusPete targets military and financial orgs in Eastern Europe

China-linked threat actor tracked as CactusPete was employing an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

A China-linked APT group, tracked by Kaspersky as CactusPete (aka Karma Panda or Tonto Team), was observed using an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

The CactusPete cyber-espionage group has been active since at least 2013, it has been mainly focused on military, diplomatic, and infrastructure targets in Asia and Eastern Europe.

Experts pointed out that despite the lack of sophistication, the group carried out successful attacks.

Since the end of February 2020, the group has been observed employing a new variant of its Bisonal backdoor to target organizations in the military and financial sectors in Eastern Europe. While analyzing the samples of the malware, experts discovered that threat actors released more than 20 samples per month and used over 300 identical samples between March 2019 and April 2020.

“Our research started from only one sample, but by using the Kaspersky Threat Attribution Engine (KTAE) we found 300+ almost identical samples. All of them appeared between March 2019 and April 2020. This underlines the speed of CactusPete’s development – more than 20 samples per month. ” reads the analysis published by Kaspersky.

The initial attack vector employed in the last campaign has yet to be discovered, but experts reported that in the past the group used spear-phishing messages with weaponized attachments for its operations. The attachments never included zero-day exploits, but they do include recently discovered and patched flaws.

Upon execution, the malware used by the CactusPete first connects to the attackers’ server, then sends information on the victim network, including hostname, IP and MAC address; OS version; infected host time; proxy usage flags, information on whether it was executed in a VMware environment; and system default CodePage Identifier.

Once compromised the target system, the Bisonal backdoor supports multiple features, such as executing a remote shell, silently run programs, retrieve the process list, terminate processes, upload/download/erase files, list available drives, and retrieve a list of files in a specified folder.

The capabilities allow threat actors to make lateral movement and deeper access to the target organization

The CactusPete hackers also use custom Mimikatz iterations and keyloggers to steal credentials and attempt to escalate privileges.

“Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed,” Kaspersky continues.

The analysis of other operations carried out by the group over the time revealed that the hackers employed other malware, including the DoubleT backdoor, CALMTHORNE, Curious Korlia, and DOUBLEPIPE.

Experts noticed that the group, which is not considered sophisticated, also uses more complex code, such as ShadowPad, which suggests that other threat actors are supporting his operations.

“We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution,” Kaspersky concludes.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CatusPete)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

40 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.