Low-level implants, cryptocurrency hunt and geopolitical attacks: what APT actors got up to in Q1 2022
According to Kaspersky’s latest APT trends report for Q1 2022, Advanced Persistent Threat (APT) actors had a busy quarter. Both recently uncovered and ongoing campaigns conducted by new and well-known operators made significant changes to the APT threat landscape. Mostly targeting businesses and governmental entities, APT actors updated already existing malicious toolsets and diversified their techniques to elevate their attacks. These and other trends are covered in Kaspersky’s latest quarterly threat intelligence summary.
During the first three months of 2022, Kaspersky researchers continued to uncover new tools, techniques and campaigns launched by APT groups in cyberattacks all around the world. The three-month APT trends report is derived from Kaspersky’s private threat intelligence research and major developments and cyber incidents that researchers believe everyone should be aware of.
Throughout the first quarter of 2022, the ongoing APT activity was driven by newly launched campaigns and a number of attacks around sensitive geopolitical events. The most significant findings include:
- Geopolitical crises as a key driver of APT developments
The threat landscape saw numerous attacks around the Ukrainian crisis. HermeticRansom, DoubleZero and many other new attacks targeting Ukrainian entities were reported throughout February and March. There was a significant spike in the amount of new infrastructure deployed by the APT groups Gamaredon and UNC1151 (Ghostwriter). Throughout the investigation, Kaspersky researchers identified two WhisperGate prototype samples developed in December 2021 containing test strings and earlier revisions of the ransom note observed in Microsoft’s shared samples. They concluded with high confidence that these samples were earlier iterations of the wiper reportedly used in Ukraine.
At the same time, Kaspersky researchers identified three campaigns linked to the Konni threat actor, active since mid-2021, targeting Russian diplomatic entities. While the attackers used the same Konni RAT implant throughout the different campaigns, the infection vectors were different in each campaign: documents containing embedded macros, an installer masquerading as a Covid-19 registration application and, finally, a downloader with a New Year screensaver decoy.
- The return of low-level attacks
Last year, Kaspersky researchers predicted the further development of low-level implants in 2022. A striking example of this trend is Moonbounce discovered by Kaspersky, which was the third known case of a firmware bootkit in the wild. This malicious implant was hidden within Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers. The implant was found in the SPI flash, a storage component external to the hard drive. The campaign was attributed to the well-known APT actor APT41.
- APT actors go after cryptocurrency
In this quarter, Kaspersky also observed APT actors continuing their hunt for cryptocurrency. Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain one of their primary goals. This actor distributed Trojanized decentralized finance (DeFi) apps in order to increase profit. Lazarus abuses legitimate applications used to manage cryptocurrency wallets by distributing malware that provides control over victims’ systems.
- Updates and online services abuse
APT actors are constantly looking for new ways to increase the efficiency of their attacks. The cyber mercenary group dubbed DeathStalker continues updating its unsophisticated tools to make attacks more efficient. Janicab, its oldest malware, first introduced in 2013, is a prime example of this trend. Overall, Janicab shows the same functionalities as its counterpart malware families, but instead of downloading several tools later in the intrusion lifecycle, as the group used to do with EVILNUM and Powersing intrusions, the new samples have most of the tools embedded and obfuscated within the dropper. Additionally, DeathStalker uses the world’s biggest online services, such as YouTube, Google+, and WordPress among others, as dead-drop resolvers (DDRs) to execute effective stealthy command and control.
‘Geopolitics have always been the main driver of APT attacks, and never has it been so evident, as now. We are living in turbulent times and this is clear through the cybersecurity lens, too. At the same time, we can see that for many threat actors the first quarter has been business as usual, with continuous update of tools and new campaigns that seek after not just information, but also money,” comments David Emm, Principal Security Researcher, Kaspersky’s GReAT.