APT | SC Media

APT

CozyDuke APT group believed to have targeted White House and State Department

APT 29/The Dukes back in business

The threat group APT 29 has apparently returned to action with ESET uncovering three new malware families it is attributing to the cybergang. Apt 29/The Dukes is best known as being the primary suspect behind the Democratic National Committee breach during the runup to the 2016 U.S. presidential election, but the group had remained quiet…

New 'Rombertik' malware destroys master boot record if analysis function detected

Major software vendor compromised with previously undocumented PortReuse backdoor

A thorough investigation into reputed Chinese APT actor Winnti Group turned up a previously undocumented backdoor that was used to compromise a popular Asian mobile hardware and software vendor — perhaps as a prelude to launching a major supply chain attack against its users. Dubbed PortReuse, the modular malware is a passive network implant that…

HTTPS

New ‘Reductor’ malware compromises machines’ encrypted TLS traffic

Cyber espionage actors have developed a malware that can mark victims’ TLS-encrypted outbound traffic with identifiers so it can be compromised and potentially decoded later. Dubbed Reductor, the malware appears to share similar code to the COMpfun trojan, which was first documented in 2014 and is closely associated with suspected Russian APT group Turla, aka…

Cyber espionage actor PKPLUG keeps plugging away at targeting SE Asia

Drawing on three years of investigatory work, researchers have assembled a detailed playbook on PKPLUG, a suspected Chinese threat actor targeting Asians with an assortment of malware used for cyber espionage purposes. The authors of this playbook – members of Palo Alto Networks threat research group Unit 42 – were able to connect PKPLUG to…

Attackers trojanize Windows Narrator tool to spy on Asian tech firms

Threat actors have been targeting Southeast Asian tech companies with an open-source backdoor that helps establish a foothold in infected machines, and a weaponized text-to-speech application that lets attackers gain SYSTEM-level access. BlackBerry Cylance’s research and intelligence team said in a Sept. 25 blog post that attackers behind the two-year-old campaign are using the malicious…

Power plant Russia

Second phishing campaign featuring LookBack malware targets U.S. utilities

A malicious threat actor continued to target the U.S. utilities sector with LookBack malware last August, launching a new phishing campaign that targeted organizations with emails impersonating a certification test administrator. Discovered earlier this year by researchers at Proofpoint, LookBack includes a proxy mechanism and a remote access trojan module. In July, the attackers behind…

Reports say China devised iPhone malware campaign to track Muslims; Android and Windows devices also targeted

A recently exposed malware campaign that used watering-hole attacks to target iPhone users for more than two years was reportedly part of an effort to track Uyghur Muslims based in China’s Xinjiang state. The campaign was actually broader than originally thought, and attempted to infect Android and Microsoft Windows devices as well, reports are also…

Report: North Korea funded WMD programs with $2B stolen via cyberattacks

North Korea’s rampant and repeated cyberattacks on financial institutions and cryptocurrency exchanges over the years has generated $2 billion in stolen funds, which the nation allocated toward developing weapons of mass destruction programs, according to a confidential UN document, Reuters reported yesterday. “Democratic People’s Republic of Korea cyber actors, many operating under the direction of…

APT-hunting group claims China’s Security Ministry is behind APT17

Researchers at Intrusion Truth are claiming the cyberespionage group APT17 is operated by the Jinan bureau of the Chinese Ministry of State Security (MSS). Intrusion Truth is an online anonymous group of cybersecurity analysts who investigate and expose APT groups linked to the Chinese government.    APT17 is believed to have been behind a series of…

APT10

APT34 spread malware via LinkedIn invites

FireEye researchers identified a phishing campaign conducted by the cyberespionage group APT34 masquerading as a member of Cambridge University to gain their victim’s trust to open malicious documents.  Researchers noticed the campaign in late June 2019 using LinkedIn professional network invitations to deliver the malicious documents that included the use of three new malware families…

Next post in APTs/cyberespionage