Low-level implants, cryptocurrency hunt and geopolitical attacks: what APT actors got up to in Q1 2022

7

According to Kaspersky’s latest APT trends report for Q1 2022, Advanced Persistent Threat (APT) actors had a busy quarter. Both recently uncovered and ongoing campaigns conducted by new and well-known operators made significant changes to the APT threat landscape. Mostly targeting businesses and governmental entities, APT actors updated already existing malicious toolsets and diversified their techniques to elevate their attacks. These and other trends are covered in Kaspersky’s latest quarterly threat intelligence summary.

During the first three months of 2022, Kaspersky researchers continued to uncover new tools, techniques and campaigns launched by APT groups in cyberattacks all around the world. The three-month APT trends report is derived from Kaspersky’s private threat intelligence research and major developments and cyber incidents that researchers believe everyone should be aware of. 

Throughout the first quarter of 2022, the ongoing APT activity was driven by newly launched campaigns and a number of attacks around sensitive geopolitical events. The most significant findings include:

  • Geopolitical crises as a key driver of APT developments

The threat landscape saw numerous attacks around the Ukrainian crisis. HermeticRansom, DoubleZero and many other new attacks targeting Ukrainian entities were reported throughout February and March. There was a significant spike in the amount of new infrastructure deployed by the APT groups Gamaredon and UNC1151 (Ghostwriter). Throughout the investigation, Kaspersky researchers identified two WhisperGate prototype samples developed in December 2021 containing test strings and earlier revisions of the ransom note observed in Microsoft’s shared samples. They concluded with high confidence that these samples were earlier iterations of the wiper reportedly used in Ukraine. 

At the same time, Kaspersky researchers identified three campaigns linked to the Konni threat actor, active since mid-2021, targeting Russian diplomatic entities. While the attackers used the same Konni RAT implant throughout the different campaigns, the infection vectors were different in each campaign: documents containing embedded macros, an installer masquerading as a COVID-19 registration application and, finally, a downloader with a New Year screensaver decoy.

  • The return of low-level attacks

Last year, Kaspersky researchers predicted the further development of low-level implants in 2022. A striking example of this trend is Moonbounce discovered by Kaspersky, which was the third known case of a firmware bootkit in the wild. This malicious implant was hidden within Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers. The implant was found in the SPI flash, a storage component external to the hard drive. The campaign was attributed to the well-known APT actor APT41.

  • APT actors go after cryptocurrency

In this quarter, Kaspersky also observed APT actors continuing their hunt for cryptocurrency. Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain one of their primary goals. This actor distributed Trojanized decentralized finance (DeFi) apps in order to increase profit. Lazarus abuses legitimate applications used to manage cryptocurrency wallets by distributing malware that provides control over victims’ systems.

  • Updates and online services abuse

APT actors are constantly looking for new ways to increase the efficiency of their attacks. The cyber mercenary group dubbed DeathStalker continues updating its unsophisticated tools to make attacks more efficient. Janicab, its oldest malware, first introduced in 2013, is a prime example of this trend. Overall, Janicab shows the same functionalities as its counterpart malware families, but instead of downloading several tools later in the intrusion lifecycle, as the group used to do with EVILNUM and Powersing intrusions, the new samples have most of the tools embedded and obfuscated within the dropper. Additionally, DeathStalker uses the world’s biggest online services, such as YouTube, Google+, and WordPress among others, as dead-drop resolvers (DDRs) to execute effective stealthy command and control.

‘Geopolitics have always been the main driver of APT attacks, and never has it been so evident, as now. We are living in turbulent times and this is clear through the cybersecurity lens, too. At the same time, we can see that for many threat actors the first quarter has been business as usual, with continuous update of tools and new campaigns that seek after not just information, but also money”, comments David Emm, principal security researcher at Kaspersky’s GReAT. “This means that organizations need to be as alert as ever and make sure they are armed with threat intelligence and the right tools to protect from existing and emerging threats”

The Q1 APT Trends report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com

Earlier this quarter, Kaspersky’s GReAT gave a presentation about cyberattacks in Ukraine, including the latest APT activity. You can find the recording of the webinar here and its summary here.

To read the full APT Q1 2022 trends report, please visit Securelist.com

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky announced access to independent, continuously updated and globally-sourced information on ongoing cyberattacks and threats, at no charge. Request your access to this offer here.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts developed by GReAT experts
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform