Analysts have revealed an interesting case of advanced threat actors, with victims in overlapping locations, targeting one another in an “APT-on-APT” attack.
According to Kaspersky Lab, which detailed the findings on Wednesday, researchers spotted the occurrence while analyzing a spear-phishing email delivered by the Naikon group last February – an advanced persistent threat (APT) actor primarily active in the Philippines, Malaysia, Cambodia and other countries around the South China Sea.
When the target of the phishing email received Naikon's correspondence, however, they didn't respond by taking the bait and opening the malicious attachment, or even by reporting it to their IT department, Kaspersky said.
“Instead of opening the document or choosing to open it on an exotic platform, they decided to check the story with the sender,” Kaspersky's blog post said. In response, the seemingly unphased attacker attempted to verify that the email was legitimate by posing as an worker for a government agency.
Surprisingly enough, the next email exchange involved the so-called “target” sending the "attacker" their own booby-trapped email.
“The attachment [in the email was] a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers,” Kaspersky explained. “Inside the archive we find two decode PDF files and one SCR file [image].”
The SCR file, a backdoor, was capable of downloading and uploading files as well as updating and uninstalling itself from victims' machines. Of note, Kaspersky found that the malware had previously been used to target government networks in Malaysia, the Philippines and Indonesia, and diplomatic agencies in the U.S. The infrastructure supporting the malware attacks was also linked with other APT groups, including one, dubbed “Hellsing,” which Kaspersky noted as similarly having targets in the South China Sea area.