A recent report by Kaspersky researchers highlights the significant APT trends in Q3. According to the report, APT actors are continuously changing their tactics, sharpening their toolsets, and evolving with new tools and techniques to launch more sophisticated campaigns.
Chinese-based activity
A41APT has been observed with updated versions of SodaMaster and Ecipekac and a new malicious fileless IIS module dubbed IISBack. It is using a new malicious implant HUI loader to deploy SodaMaster.
DiceyF was spotted targeting online gambling platform development studios and IT recruitment organizations in Hong Kong, the Philippines, China, and Vietnam.
KeyPlug, a modular backdoor, targets high-profile victims in Asian countries. With medium confidence, researchers have attributed malware and the infrastructure to a previously known APT41 group.
Since March, APT10 has resumed its activities with the new version of LODEINFO and a downloader shellcode dubbed DOWNIISSA.
Unknown Chinese-speaking hackers were using several CobaltStrike loaders to leverage either HTTP or raw TCP communication protocols. For post-exploitation activities, they used Radmin and Gh0stRAT tools.
Middle East-based activities
Researchers found many APT groups targeting organizations in the Middle East region.
FramedGolf, a newly discovered IIS backdoor, exploited ProxyLogon-type vulnerabilities on Exchange servers to target Iranian organizations.
SilentBreak group used two new implants named SoleExecutor and Powerpol of SoleDragon malware.
A new spyware SandStrike was used by a threat group to infect the Android devices of a religious minority in Iran.
DeftTorero (aka Lebanese Cedar, Volatile Cedar) uses Explosive RAT as a final payload.
Southeast Asia and Korean Peninsula activities
Researchers have observed new activities of the Lazarus group with the DeathNote cluster. The group used an updated Racket Downloader to deploy additional malware for further post-exploitation activity.
The Tropic Trooper APT was found to have links with the Antlion campaign and it targets the finance sector, tech hardware, and semiconductors industry, as well as a political entity in East and Southeast Asia.
Other prolific and active threat actors such as Kimsuky and Dropping Elephant used the same attack methods with frequently updated tools to gather intelligence data.
Other notable APT groups
North Korean state-sponsored APT Andariel (aka Silent Chollima and Stonefly) has been using Maui ransomware to target the healthcare sector. It deploys a variant of DTrack, with relatively few changes in code, along with new victimology.
The techniques and tradecrafts implemented by HotCousin were found very similar to those used by The Dukes (aka APT29). Since February, it has been attempting to compromise diplomatic and government organizations and foreign affairs ministries in Europe, Asia, Africa, and South America.
Additional discoveries
Researchers found many other activities associated with a new group Adastrea, a new and sophisticated malware Metatron, and a new backdoor with password-stealing capabilities.
Researchers found Lazarus Group with various tools and different clusters such as ThreatNeedle, Bookcode, and DeathNote.
Conclusion
While some APT groups have remained consistent with their targets and TTPs, some have updated their toolsets and extended the scope of their activities. The geographically spread and diverse approach of APT groups of these APT artifacts highlights their key developments over time.