Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007.
The last operations conducted by this threat actor were observed in 2013.
Our private report provided a detailed description of these activities, focusing on how the actor performed the initial infections, lateral movement, malware execution, and data exfiltration activities.
It is notable that the Careto actor used custom techniques, such as employing the MDaemon email server to maintain a foothold inside the organization or leveraging the HitmanPro Alert driver for persistence.
Our last report on the Oilrig APT discussed how IT service providers were potentially used as a pivot point to reach their clients as an end-target, and we kept tracking the threat actor's activity to identify relevant infection attempts.
We detected another activity in the process, likely by the same threat actor, but this time targeting an internet service provider in the Middle East.
The actor also used an autohotkey-based keylogger similar to the one used in a previous intrusion.
Ultimately, the actor implanted the malware to pilfer browser-stored data including cookies and login credentials.
Notably, our investigation did not uncover any additional victims during these instances, indicating a highly focused targeting approach by the actor.
The threat actor distributed this backdoor over the organization's network by infecting a batch file located on an internal network share.
We additionally observed the threat actor behind this backdoor launching penetration testing tools, such as Ligolo-ng, Inveigh and Impacket.
The threat actor SideWinder launched hundreds of attacks in recent months against high-profile entities in Asia and Africa.
The actor can also be observed employing its old malware on occasion.
We recently discovered that this notorious actor was testing its old and familiar tool, ThreatNeedle.
The malware author utilized a binder tool to create initial-stage malware for delivering and implanting the final payload. The main objective of the binder tool is assembling the malware installer, actual payload and configuration.
By investigating the Command-and-Control resources used by the actor, we discovered NPM packages that contain malicious JavaScript code to deliver malware without user notification.
To mitigate exposure to threat actors of this type, it is first important to update the threat/risk profile when similar events happen.
The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019.
While the TTPs of some threat actors remain consistent over time, such as heavy reliance on social engineering as a means of gaining a foothold in a target organization or compromising an individual's device, others have refreshed their toolsets and expanded the scope of their activities.
The Spyrtacus malware used for targeting individuals in Italy demonstrates that threat actors continue to develop for multiple platforms, including mobile malware.
This Cyber News was published on securelist.com. Publication date: Thu, 09 May 2024 14:43:06 +0000