ReconHellcat is a little-known threat actor that was spotted publicly in 2020. Our private report gave details about the various droppers along with decoder scripts, as well as analysis of the DStealer backdoor and the large infrastructure we observed associated with the campaign. However, we were able to attribute the activity with medium to high confidence to Gamaredon. We could not precisely identify the associated infection chains, as we could only retrieve parts of them from any live exploitation context. This quarter we identified several malicious infection documents, droppers and implants that are typical of Gamaredon and which may suggest an ongoing malicious campaign against the Ukrainian government, possibly active since May.
The use of certain languages does not necessarily indicate a specific geographic relation but rather points to the languages that the developers behind these APT artefacts use. You can read more about our findings here.ĭisclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “speaking” other languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or which was otherwise publicly known and reported widely. However, taken together they suggest the possibility of common authorship or shared development practices. None of the similarities is enough to link Tomiris and Sunshuttle with high confidence. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. Following this, they were tricked into downloading previously unknown malware.
When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface. In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT’s networks to perfect their attack. The SolarWinds incident reported last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims.
Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact The most remarkable findings This is our latest installment, focusing on activities that we observed during Q3 2021. They are designed to highlight the significant events and findings that we feel people should be aware of.
The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity.
0 kommentar(er)
