Analysts have revealed an interesting case of advanced threat actors, with victims in overlapping locations, targeting one another in an “APT-on-APT” attack.
According to Kaspersky Lab, which detailed the findings on Wednesday, researchers spotted the occurrence while analyzing a spear-phishing email delivered by the Naikon group last February – an advanced persistent threat (APT) actor primarily active in the Philippines, Malaysia, Cambodia and other countries around the South China Sea.
When the target of the phishing email received Naikon's correspondence, however, they didn't respond by taking the bait and opening the malicious attachment, or even by reporting it to their IT department, Kaspersky said.
“Instead of opening the document or choosing to open it on an exotic platform, they decided to check the story with the sender,” Kaspersky's blog post said. In response, the seemingly unphased attacker attempted to verify that the email was legitimate by posing as an worker for a government agency.
Surprisingly enough, the next email exchange involved the so-called “target” sending the "attacker" their own booby-trapped email.
“The attachment [in the email was] a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers,” Kaspersky explained. “Inside the archive we find two decode PDF files and one SCR file [image].”
The SCR file, a backdoor, was capable of downloading and uploading files as well as updating and uninstalling itself from victims' machines. Of note, Kaspersky found that the malware had previously been used to target government networks in Malaysia, the Philippines and Indonesia, and diplomatic agencies in the U.S. The infrastructure supporting the malware attacks was also linked with other APT groups, including one, dubbed “Hellsing,” which Kaspersky noted as similarly having targets in the South China Sea area.
“The group has a relatively small footprint compared to massive operations such as ‘Equation'. Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here,” the firm wrote of Hellsing.
“The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack,” Kaspersky concluded.
In Wednesday email correspondence with SCMagazine.com, Kurt Baumgartner, principal security researcher at Kaspersky Lab, further explained that, "while the Naikon attackers operated with the understanding that they were hitting a ‘soft' target, not one that could strike back, the Hellsing attackers clearly knew that they were striking back directly at another APT.”
Baumgartner added later that the Hellsing-Naikon case shows that “APT supporters and customers around the world are beefing up their budgets for cyber-offense, so this APT vs. APT activity is only going to increase in the near future.”
Kaspersky detected backdoors used by Hellsing attackers in various APT attacks as "HEUR:Trojan.Win32.Generic," "Trojan-Dropper.Win32.Agent.kbuj," and "Trojan-Dropper.Win32.Agent.kzqq."