The activity of advanced persistent threat (APT) groups in the third quarter of 2020 indicated a curious trend: while many threat actors advance and continue to diversify their toolsets, at times resorting to extremely tailored and persistent tools, others successfully reach their goals through the employment of well-known, time-tested attack methods. This and other APT trends from different parts of the world are covered in Kaspersky’s latest quarterly threat intelligence report.

In Q3 2020, Kaspersky researchers observed a split in the general approach employed by threat actors – multiple developments in the tactics, techniques and procedures (TTPs) of APT groups across the world were witnessed alongside effective campaigns that used rather trivial infection vectors and toolsets. 

One of the most notable findings of the quarter was a campaign carried out by an unknown actor, who decided to infect one of the victims using a custom bootkit for UEFI – an essential hardware component of any modern computer device. This infection vector was part of a multi-stage framework dubbed MosaicRegressor. The infection of UEFI made the malware planted on the device exceptionally persistent and extremely hard to remove. On top of that, the payload downloaded by the malware to each victim’s device could be different – this flexible approach enabled the actor to hide its payload from unwanted witnesses.

Other actors make use of stenography. A new method abusing the Authenticode-signed Windows Defender binary, an integral and approved program for the Windows Defender security solution, was detected in the wild in an attack on a telecoms company in Europe. An ongoing campaign attributed to Ke3chang utilised a new version of the Okrum backdoor. This updated version of Okrum abuses an Authenticode-signed Windows Defender binary through employment of a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. 

Many other actors also continue to update their toolsets in order to make them more flexible and less prone to detection. Various multi-stage frameworks, such as the one developed by the MuddyWater APT group continue to appear in the wild. This tendency is true of other malware as well - for instance, the Dtrack RAT (remote access tool), which was updated with a new feature which enables the attacker to execute more types of payload. 

However, some actors still successfully use low-tech infection chains. One example is a mercenary group named DeathStalker by Kaspersky researchers. This APT mainly focuses on law firms and companies operating in the financial sector, gathering sensitive and valuable information from the victims. Using techniques that have been mostly identical since 2018, a focus on evading detection has enabled DeathStalker to continue carrying out a number of successful attacks. 

“While some threat actors remain consistent over time and simply look to use hot topics such as COVID-19 to entice victims to download malicious attachments, other groups reinvent themselves and their toolsets. The widening scope of platforms attacked, continuous work on new infection chains and the use of legitimate services as part of their attack infrastructure, is something we have witnessed over the past quarter. Overall, what this means for cybersecurity specialists is this: defenders need to invest resources in hunting malicious activity in new, possibly legitimate environments that were scrutinised less in the past. That includes malware that is written in lesser-known programming languages, as well as through legitimate cloud services. Tracking actors’ activities and TTPs allows us to follow as they adapt new techniques and tools, and thereby prepare ourselves to react to new attacks in time,” comments Ariel Jungheit, Senior Security Researcher, Global Research and Analysis Team, Kaspersky. 

A three-month APT trends summary for the last quarter recaps the findings of Kaspersky’s subscriber-only threat intelligence reports, as well as other sources that cover major developments the corporate sector should be aware of. Kaspersky’s threat intelligence reports also include Indicators of Compromise (IoC) data, as well as Yara and Suricata rules to assist in forensics and malware hunting. For more information, please contact: intelreports@kaspersky.com.

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

• Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing ongoing cyber-attack data and insights gathered by Kaspersky over more than 20-years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.

Read the full Q3 APT trends report on Securelist.com.