.
In Q3 2022, Kaspersky investigators uncovered a previously unknown Android spy campaign dubbed SandStrike. The actor targets a Persian-speaking Baháʼí religious minority by distributing a VPN application that contains highly sophisticated spyware. Kaspersky experts also discovered an advanced upgrade to the DeathNote cluster and – together with SentinelOne – investigated a never-before-seen Metatron. This and other findings are revealed in Kaspersky’s latest quarterly threat report.
To entice victims to download the spyware, the attackers created Facebook and Instagram accounts with over 1,000 followers and designed inviting religious-themed graphic materials, creating an effective trap for believers. Most of these social media accounts contain a link to a Telegram channel also created by the abuser.
In this channel, the person responsible for SandStrike distributed an apparently harmless VPN application to access websites prohibited in certain regions, for example, materials related to religion. To make this application fully functional, the developers also created their own VPN infrastructure.
However, the VPN client contains a fully functional spyware with capabilities that allow threat actors to collect and steal sensitive data, including call logs, contact lists, and also track any other activities of pursued individuals.
Throughout the third quarter of 2022, APT officials continually changed their tactics, refining their toolkits and developing new techniques. The most significant findings include:
- The new sophisticated malware platform aimed at telecom companies, ISPs and universities
Along with SentinelOne, Kaspersky researchers analyzed a never-before-seen – sophisticated malware platform dubbed Metatron. Metatron primarily targets telecommunications, Internet service providers, and universities in Middle Eastern and African countries. Metatron is designed to circumvent native security solutions while deploying malware platforms directly into memory.
- Updating advanced and sophisticated tools
Kaspersky experts noted that Lazarus uses the DeathNote group against victims in South Korea. The group possibly utilized a strategic web engagement, employing a chain of infection similar to the one Kaspersky experts reported earlier, attacking an endpoint security program. However, experts found that the malware and infection schemes were also updated. The actor used malware that had not been seen before, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator was hidden in the victim’s environment for a month and collected information from the system.
- Cyberespionage remains the main objective of APT campaigns
In the third quarter of 2022, Kaspersky researchers detected numerous APT campaigns, whose main target is government institutions. Our recent investigations show that this year, starting in February, HotCousin tried to compromise foreign ministries in Europe, Asia, Africa and South America.
As we can see from the analysis of the last three months, APT agents are now being forcefully used to create attack tools and improve existing ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, which attacks users through a VPN service, where victims try to find protection and security, is an excellent example. Currently, it is easy to distribute malware via social networks and remain undetected for several months or even longer. That’s why it’s so important to be as alert as ever and make sure you’re armed with the threat intelligence and the right tools to protect yourself from existing and emerging threats.” notes Victor Chebyshev, lead security researcher at Kaspersky’s GReAT.
To read the full APT Q3 2022 Trends Report, please visit securelist.com
In order to avoid falling victim to an attack directed by a known or unknown actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat information (IT). The Kaspersky Threat Intelligence Portal is a single access point for enterprise IT, providing cyber-attack data and insights collected by Kaspersky over the last 20 years. To help companies enable effective defenses in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information about cyberattacks and ongoing threats. Request access online.
- Train your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- Use an enterprise-grade EDR solution such as Kaspersky EDR Expert It is essential to detect threats among a sea of dispersed alerts thanks to the automatic merging of alerts into incidents, as well as to analyze and respond to an incident in the most effective way.
- In addition to adopting essential endpoint protection, implementing an enterprise-grade security solution that detects advanced network-level threats at an early stage, such as Kaspersky Anti-Attack Attack Platform.
As many targeted attacks start with social engineering techniques such as phishing, introduce security awareness training and teach your team practical skills using tools such as Kaspersky Automated Security Awareness Platform.
Other interesting articles:
.
