Kaspersky Lab APT Trends report, Q1 2017 – From Lazarus APT to StoneDrill

Pierluigi Paganini May 02, 2017

Kaspersky is currently monitoring the activities of more than 100 threat actors, from the From Lazarus APT to StoneDrill.

According to the experts from KasperskyLab, the infamous Lazarus APT group, aka BlueNoroff, is the most dangerous threat against financial institutions worldwide.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Experts at Symantec collected evidence demonstrating the Lazarus APT group was behind the campaign that leveraged on a “loader” software used to stage attacks by installing other malicious programs.

Both US and South Korea governments are blaming Pyongyang for the attacks, but the North Korean government has denied allegations it was behind the hacks.

The Lazarus APT has been associated with numerous cyber attacks against high-profile targets, including the 2014 Sony Pictures hack, the Bangladesh cyberheist at the New York Federal Reserve Bank and the recent attack against banks in Poland.

According to Kaspersky Lab, the hacking campaign against banks worldwide is still ongoing, recently the experts detected new malware samples linked to the group’s activity.

Below the findings of an ATP trends report recently published by Kaspersky Lab:

  • We believe BlueNoroff is one of the most active groups in terms of attacks against financial institutions and is trying to actively infect different victims in several regions.
  • We think their operations are still ongoing, and in fact, their most recent malware samples were found in March 2017.
  • At the moment we believe BlueNoroff is probably the most serious threat against banks.

Kaspersky is currently monitoring the activities of more than 100 threat actors, APT groups and financially motivated cybercrime gangs, that are targeting almost any industry across over 80 countries.

Other APT groups tracked by Kaspersky that were most active in the first quarter of 2017 were Shamoon and StoneDrill APTs. According to the researchers, the groups are distinct, but they share the same two separate likely they are working together to compromise Saudi targets with high sophisticated wiper malware.

The experts linked the StoneDrill malware to Shamoon 2 attacks and Charming Kitten campaign (aka Newscaster and NewsBeef).

The malware was used by threat actors against entities in Saudi Arabia and at least one organization in Europe.

StoneDrill Lazarus APT

The experts discovered many similarities between malware styles and malware components in Shamoon, StoneDrill, and NewsBeef.

Malware researchers highlighted that APT groups leverage on the use of generic tools in attacks making hacked the attribution of the attacks.

“Rather than creating and having their own tools, these use generic tools that are good enough to complete an operation, and provide an evident economic advantage, with the added value of making both analysis of the incident and attribution to a particular actor more difficult.” states the report.

“Nowadays there is a large number of different frameworks providing cyber-actors with many options, especially for lateral movement. This category includes Nishang, Empire, Powercat, Meterpreter, etc. Interestingly, most of these are based on Powershell, and allow the use of fileless backdoors.”


Enjoy the report!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, cybercrime)

[adrotate banner=”13″]

you might also like

leave a comment