To lure victims into downloading the spyware
implants, adversaries set up Facebook and Instagram accounts with more than
1,000 followers and designed attractive religious-themed graphic materials,
setting up an effective trap for adherents of this belief. Most of these social
media accounts contain a link to a Telegram channel also created by the
attacker.
In this
channel, the actor behind SandStrike distributed a seemingly harmless VPN
application to access sites banned in certain regions, for example,
religious-related materials. To make this application fully functional,
adversaries also set up their own VPN infrastructure.
However,
the VPN client contains fully-functioning spyware with capabilities allowing
threat actors to collect and steal sensitive data, including call logs, contact
lists, and also track any further activities of persecuted individuals.
Throughout
the third quarter of 2022, APT actors were continuously changing their tactics,
sharpening their toolsets and developing new techniques. The most significant
findings include:
- The new
sophisticated malware platform targeting telecoms companies, ISPs and
universities
Together with SentinelOne, Kaspersky researchers analyzed a
never-seen-before sophisticated malware platform dubbed Metatron. Metatron
primarily targets telecommunications, internet service providers, and
universities in Middle Eastern and African countries. Metatron is designed
to bypass native security solutions while deploying malware platforms
directly into memory.
- The
upgrade of advanced and sophisticated tools
Kaspersky experts
observed Lazarus use the DeathNote cluster against victims in South Korea.
The actor possibly used a strategic web compromise, employing an infection
chain similar to that which Kaspersky researchers have previously
reported, attacking an endpoint security program. However, experts
discovered that the malware and infection schemes have also been updated.
The actor used malware that hadn’t been seen before, with minimal
functionality to execute commands from the C2 server. Using this implanted
backdoor, the operator lay hidden in the victim’s environment for a month
and collected system information.
- Cyber-espionage continues to be a prime aim of APT campaigns
In the third
quarter of 2022, Kaspersky researchers detected numerous APT campaigns,
whose main target is governmental institutions. Our recent investigations
show that this year, from February onwards, HotCousin has attempted to
compromise foreign affairs ministries in Europe, Asia, Africa and South
America.
“As we can see from the analysis of the
last three months, APT actors are now strenuously used to create attack tools
and improve old ones to launch new malicious campaigns. In their attacks, they
use cunning and unexpected methods: SandStrike, attacking users via VPN
service, where victims tried to find protection and security, is an excellent
example. Today it is easy to distribute malware via social networks and remain
undetected for several months or even more. This is why it is so important to
be as alert as ever and make sure you are armed with threat intelligence and
the right tools to protect from existing and emerging threats,” comments Victor
Chebyshev, lead security researcher at Kaspersky’s GReAT.
In order
to avoid falling victim to a targeted attack by a known or unknown threat
actor, Kaspersky researchers recommend implementing the following measures:
- Provide
your SOC team with access to the latest threat intelligence (TI). The
Kaspersky Threat Intelligence Portal is a single point of access for the
company’s TI, providing cyberattack data and insights gathered by
Kaspersky over the past 20 years. To help businesses enable effective
defenses in these turbulent times, Kaspersky announced free access to
independent, continuously updated and globally sourced information on
ongoing cyberattacks and threats. Request access online.
- Upskill your cybersecurity team to enable them to
tackle the latest targeted threats with Kaspersky online training
developed by GReAT experts.
- Use
enterprise-grade EDR solution such as Kaspersky EDR Expert. It is essential to detect threats among a
sea of scattered alerts thanks to automatic merging of alerts into
incidents as well as to analyze and respond to an incident in the most
effective way.
- In
addition to adopting essential endpoint protection, implement a
corporate-grade security solution that detects advanced threats on the
network level at an early stage, such as Kaspersky Anti Targeted Attack
Platform.
- As many targeted
attacks start with social engineering techniques, such as phishing,
introduce security awareness training and teach practical skills to your
team – using tools such as the Kaspersky Automated Security
Awareness Platform.
New SandStrike spyware targets Android users with booby-trapped VPN application
KasperskyIn the third quarter of 2022, Kaspersky researchers uncovered a previously unknown Android espionage campaign dubbed SandStrike. The actor targets a Persian-speaking religion minority, Baháʼí, via distributing VPN app that contains highly sophisticated spyware. Kaspersky experts also discovered an advanced upgrade of DeathNote cluster and - together with SentinelOne - investigated never-seen-before malware Metatron. This, and other discoveries are revealed in Kaspersky’s latest quarterly threat intelligence summary.