A booby-trapped VPN client; a malware platform that bypasses native security solutions; and strategic web compromise techniques were some new discoveries

Throughout the third quarter of 2022, advanced persistent threat actors (APT) were continuously changing their tactics, sharpening their toolsets and developing new techniques, as cyber incidents handled by Kaspersky’s threat response teams show.

The most significant findings include:

    • A new sophisticated malware platform targeting telecoms companies, ISPs and universities:
      Researchers have analyzed a never-seen-before sophisticated malware platform dubbed Metatron, which primarily targets telecommunications, internet service providers, and universities in Middle Eastern and African countries. The platform is designed to bypass native security solutions while deploying malware platforms directly into memory.
    • Upgrade advanced and sophisticated tools:
      Lazarus was found to be using the DeathNote cluster against victims in South Korea. The actor possibly used a ‘strategic web compromise’, employing an infection chain and attacking an endpoint security program. However, experts discovered that the malware and infection schemes have also been updated. The actor used malware that has not been seen before, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator lay hidden in the victim’s environment for a month and collected system information.
    • Cyber espionage continues to be a prime aim of APT campaigns:
      In Q3 2022, researchers detected numerous APT campaigns, whose main target was government institutions. From February onwards, HotCousin had attempted to compromise foreign affairs ministries in Europe, Asia, Africa and South America.
    • Booby-trapped VPN application:
      Adversaries set up Facebook and Instagram accounts with more than 1,000 followers and design attractive religious-themed graphic materials to lure adherents of this belief into downloading a seemingly harmless VPN application in order to gain access sites banned religious-related materials. The actor behind SandStrike even set up their own VPN infrastructure to pull off this ruse. However, the VPN client contains fully-functioning spyware allowing threat actors to collect and steal sensitive data, including tracking any further activities of persecuted individuals.

The firm’s lead security researcher, Victor Chebyshev, commented: “APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods to distribute malware via social networks and remain undetected for several months or even more.”