Long-established threat groups appear to be cozying up to each other as a means of expanding their operations in the face of fresh competition from new APT players.
In its latest Advanced Persistent Threats quarterly trends report, Kaspersky describes the first three months of 2023 as a time of “bustling APT activity.” The security vendor says APT actors, old and new, have been busy updating their toolsets and expanding their attack vectors, both in terms of geographical location and target industries.
The established threat actors Kaspersky has observed branching out include Turla, MuddyWater, Winnti, Lazarus and ScarCruft.
“While we have been tracking the same APT actors for decades, it’s clear they are continually evolving with new techniques and toolsets,” said David Emm, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
In a separate report released earlier this week, Kaspersky outlined how recent attacks by another APT group, Tomiris, appeared to leverage KopiLuwak and TunnusSched, malware previously connected to Turla. This suggested the two groups, while very likely separate actors, were exchanging tradecraft.
Kaspersky expanded on Tomiris and Turla’s new-found relationship in its APT quarterly trends report.
“Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla. So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate.”
The vendor added: “This demonstrates how established APT actors are adapting and evolving their tactics to stay ahead of the game.”
“Additionally,” said Emm, “the emergence of newly developed threat actors means the APT landscape is rapidly changing, especially in these turbulent times.”
New threat groups and tools identified
One of those new actors is a group Kaspersky calls Trila, which has been targeting Lebanese governmental entities. In January, Kaspersky identified new .NET malware for remote console command execution that was used by Trila in a December 2022 attack.
“This actor's toolset primarily consists of simple, homebrewed malware that enables them to remotely execute Windows system commands on infected machines. The information gathered is then exfiltrated to a legitimate interact.sh project instance that serves as a C2 (command and control attack launcher).”
In addition to the .NET malware, Kaspersky discovered Go and Rust variants of a simple, custom SOCKS proxy tool used to redirect C2 communications within the victims' environment.
Late last year, Kaspersky discovered a framework it calls CloudWizard, used to target individuals and organizations located in the conflict zone of Russia’s war against Ukraine.
“This framework has been used since at least 2017, with active infections continuing. It is intended for cyber-espionage, and its features include keylogging, recording using the microphone, taking screenshots and stealing website passwords and email messages.”
Other new threats discovered by Kaspersky include TargetPlug, an in-memory implant used to target game developers in South Korea. It is signed with valid certificates and appears to be linked to the Winnti threat group.
New ScarCruft malware strains and C2 server data have also been found. ScarCruft focuses on spying on individuals connected to the North Korean government, including those living and working abroad.
These new threat tools are coming to light as APT groups continue to expand beyond their traditional targets, including state institutions and high-profile victims. Their domain increasingly includes the aviation, energy, manufacturing, real estate, finance, telecom, scientific research, IT, and gaming sectors. Companies in these sectors often possess valuable data or access and vectors that can help attackers launch future campaigns.
Meanwhile, Kaspersky says, threat groups that previously targeted victims in specific countries are increasingly spreading into new geographies.
An example is MuddyWater, an actor that previously focused on the Middle East and North Africa but has expanded its attacks to organizations in Azerbaijan, Armenia, Malaysia and Canada.