Five Major APT Groups
In 2019, NSFOCUS Security Labs tracked and delved into five major APT groups: BITTER, OceanLotus, MuddyWater, APT34, and FIN7. The following sections illustrate the latest developments of these APT groups by explaining how they optimize attack chains, refine attack methods, and sharpen RAT tools.
BITTER is an attack group with strong political motivations as it has long been engaged in attacks against Pakistan and Chinese governments, mainly targeting military-industrial complexes and electrical and nuclear facilities. This organization often exploits vulnerabilities in InPage document processing software which has a large user base in Pakistan.
In September 2019, NSFOCUS Security Labs’ threat hunting system detected an APT attack launched by BITTER. Finding that the C&C servers of this attack were still alive and being updated, we finally obtained all files in the arsenal by leveraging C&C server misconfiguration. By comparing these files with historical data, we found that BITTER had updated and replaced attack tools and assigned a different role to each tool. Meanwhile, we captured a brand new RAT tool dubbed Splinter. According to our longterm tracking and analysis, BITTER has been devoted to developing Splinter since May 2019 in the hope of replacing the original RAT tool.
OceanLotus, an APT group disclosed in 2014, mainly targets private enterprises, governments, dissidents, and journalists, with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
By analyzing the attack methods, attack tools, and kill chains used by OceanLotus over two years, we found that “wwlib side-loading” was this organization’s most favored kill chain. The payload of this kill chain was identified as early as 2018 when not many payloads were used by this organization. In 2019, OceanLotus constantly refined the process and payload of “wwlib side-loading” and used it as its main attack means.
OceanLotus, though having developed a variety of attack methods and complicated kill chains recently, still uses the same core attack technique and trojan payload. As the main remote control payload used by OceanLotus in 2019, DenesRAT deserves much attention.
OceanLotus drops DensRAT via various means, including HTA files, WinRAR vulnerabilities, and WinRAR executables.
According to the analysis of kill chains used by OceanLotus in recent years, this organization always aggressively tries to use various topical vulnerabilities and attack techniques, integrating them into the attack process to launch more successful attacks on a larger attack surface. This, in turn, poses higher requirements for the defense system of security vendors.
MuddyWater is an Iranian APT group which, driven by strong political motivations, primarily targets governments, telecommunications, and petroleum sectors in the Middle East, Europe, and North America.
According to our analysis, MuddyWater uses attack methods with distinct characteristics. Specifically, this organization often uses Word documents with a macro virus and relies heavily on Visual Basic Script (VBS) and PowerShell scripts, starting them generally by creating an auto-start item and a scheduled task. These scripts employ numerous detection evasion methods, including anti-debugging, cryptography, and obfuscation. More often than not, MuddyWater uses CMSTP.exe to bypass User Account Control (UAC) and AppLocker of Powershell. Also, via extensive scanning and web page Trojans, MuddyWater has collected a large number of compromised websites as proxy hosts to hide real C&C addresses.
MuddyWater is preferring RAT tools written with Delphi besides VBS and Powershell and is heading towards mobile devices powered by Android and other systems. It is clear that MuddyWater has never stopped developing new tools and employing attack techniques to evade stricter detection.
APT34 is an Iranian APT organization which, since 2014, has primarily targeted governments, telecommunications, finance, energy, chemical, and other sectors in the Middle East. In the past few years, APT34 has hit China, Turkey, Albania, and other countries and regions, with a particular focus on
As early as the middle of March 2019, this hacker/hacker organization released and sold APT34’s toolkit on the Internet. On April 18, a hacker organization sold a toolkit of APT34 under a false name of Lab Dookhtegan on a Telegram channel. Also on sale was its collected victim data and screenshots of the tool backend panel. Our analysis of the disclosed toolkit reveals that the tools included in this toolkit differ from those exposed to the public previously .
According to analysis, APT34 hits targets in a number of ways, including obtaining system data via an SQL injection attack, launching brute-force attacks and weak password dictionary attacks, and using Mimikatz for lateral movement during intranet penetration. We also find that APT34 often uses WebMail as an entry to target systems, so we suspect that APT34 has crafted a 0-day exploit against a certain WebMail system.
FIN7 has been engaged in malicious activities since 2015, always launching carefully crafted spear phishing attacks against the finance, retail, restaurant, and hospitality sectors in the USA.
FIN7 is a big criminal group as it operates in an organized and structured manner and can quickly adapt to and adjust tactics, techniques, and procedures (TTP) on a large scale. Over three years, FIN7 has never ceased malicious activities, constantly sharpening its malware dropping techniques like HALFBAKED, POWERSOURCE, BATELEUR, and GRIFFON. In addition, FIN7 has used such RAT tools as CARBANAK, TINIMET, and DRIFTPIN to pose persistent threats in different periods.
Each APT organization has its own kill chain with distinctive characters. They constantly upgrade their toolkits to keep up with the topical vulnerabilities and attack techniques. Besides, they have tried every
means to hide their traces from detection in multiple sections in the kill chain. To effectively deal with those crafty groups, the current defense systems should be further improved to provide more powerful
protection. NSFOCUS will continue to follow up with and thoroughly study new developments and trends of APTs, thus providing support for the building of better defense systems.
To be continued.