PT ESC Threat Intelligence

Hellhounds: operation Lahat

In 2023, our Positive Technologies computer security incident response team (PT CSIRT) discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS. However, the sample we found on the victim’s host was a new modification of the trojan, which the adversaries altered in such a way as to make it harder to detect and analyze. As far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia. Remarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive Technologies MaxPatrol products.
Read full report

A pirated program downloaded from a torrent site infected hundreds of thousands of users

When searching for necessary software, users often visit seemingly safe websites and torrent trackers to download, install and use programs. But are these programs truly safe? Illegal software could contain threats of all kinds, from miners to complex rootkits. The danger of malware spreading through dubious software downloads is not new and has now reached a global scale. Let’s discuss this, taking the study of a specific attack as an example. In August 2023, our SOC, using MaxPatrol SIEM, detected abnormal network activity. The incident response team (PT CSIRT) was engaged. Upon analyzing the incident, we established that a user from the X company was compromised by a relatively simple yet previously unknown malware. In the investigation, no traces of phishing, external perimeter breach, or any other techniques were found—the user just installed a program downloaded from a torrent site.
Read full report

Dark River. You can't see them, but they're there

In October 2022, during an investigation into an incident at a Russian industrial enterprise, samples of previously unseen malware were discovered running on compromised computers of this organization. The names of this malware’s executable files were similar to the names of legitimate software installed on the infected machines, and a number of samples had valid digital signatures. Also, the identified executable files and libraries were processed by the Themida protector to make them more difficult to detect and analyze. Subsequent analysis of these samples revealed that the identified software is a fairly complex modular backdoor, which we called MataDoor, designed for long-term covert operation in the
Read full report

Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools

At the end of 2019, the team at the Positive Technologies Expert Security Center (PT ESC) discovered a new cybercrime group, which they dubbed Space Pirates. It had been active since at least 2017. The first-ever comprehensive research paper describing the group saw light in early 2022. The Space Pirates group have since stepped up attacks on Russian companies: we have come across the group frequently while investigating cyberattacks in the past year. They have hardly changed their tactics, but they have developed new tools and improved their old ones. The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks. Over the year, at least 16 organizations have been attacked in Russia and one in Serbia. Some of the new victims that we identified are Russian and Serbian government and educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and infosec companies.
Read full report

(Un)secure development, part 2: borrowing metadata from popular packages to fake Python project ratings

We recently published an article about detecting malicious packages in the Python Package Index [ru], and since then we have been actively using the service we developed for analyzing projects. Today we want to share with you an interesting observation related to the falsification of project reputation statistics. How to inadvertently improve the reputation of your project, how common this problem is and how to automatically detect such tampering — read in this article.
Read full report

APT Cloud Atlas: Unbroken Threat

Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. The goals of the group are espionage and theft of confidential information. The group typically uses phishing emails with malicious attachments as the initial vector for their attacks. In the third quarter of 2022, during our investigation we identified a phishing campaign targeting employees of Russian government agencies. The attackers used targeted mailing based on the professional field of the recipients, even though we found no publicly available information about them. We first knew about the attackers back in 2014, when Kaspersky researchers published a report. Since then, their tools have not changed much (you can find more about them in the "Malware analysis" section). However, there has not yet been a detailed analysis and description of the functionality of these tools. In this report, we'll discuss the main techniques of the Cloud Atlas group, and take an in-depth look at the tools they use.
Read full report

TgRAT

During an investigation, Positive Technologies Expert Security Center (PT ESC) discovered a hacking toolkit that used the Telegram messaging app to manage backdoors. To penetrate the network and move laterally within it, attackers used both known malware, such as Impacket, Mimikatz, and network traffic tunneling tools (Chisel , dnscat2 , Gost , and others), and new, less widespread malware, such as remote access Trojans that use Telegram API to download data. Malware analysis was performed by the cyberthreat research team (PT ESC).
Read full report

Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage

In April 2022, PT Expert Security Center detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group. The malware samples date from November 2021 to June 2022. Detailed analysis of the tools showed the use of the Yandex.Disk service as the C2 server. This seemed a rather curious case to us, since it involved a potentially foreign group using a Russian service specifically to make the network load look outwardly legitimate. This group's previous use of the Dropbox cloud service, as well as overlaps with the above-mentioned tools, suggests that here too we are dealing with the toolkit of the APT31 group. This report describes the tools and techniques and their features, discusses the similarities and differences, and lays out the characteristics on which basis we assigned them to the APT31 group.
Read full report

Space Pirates: analyzing the tools and connections of a new hacker group

At the end of 2019, Positive Technologies Expert Security Center (PT ESC) found a phishing email aimed at a Russian aerospace enterprise. It contained a link to previously unknown malware. Our experts discovered the same malware in 2020 when investigating an information security incident at a Russian government agency. During the investigation, several new malware families using a common network infrastructure were also discovered, some of which had not previously been mentioned in open sources. In the summer of 2021, PT ESC revealed traces of compromise of another Russian aerospace enterprise. The organization was duly informed. As a result of the investigation, we found connections to the same network infrastructure on its computers. Further research made it possible to identify at least two more organizations in Russia, both partially state-owned, that were attacked using the same malware and network infrastructure. We could not unambiguously link the detected malicious activity to any known hacker group, so we gave the attackers a new name—Space Pirates. The reason for the name was the P1Rat string used in the PDB paths, and the targeting of the aerospace industry. This report describes the group's detected activity, the features of the malware it uses, as well as its connection with other APT groups.
Read full report

Masters of Mimicry: new APT group ChamelGang and its arsenal

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. To achieve their goal, the attackers used a penetration method—trusted relationship. The group compromised a subsidiary and penetrated the target company's network through it. After investigating the first incident, on August 16, 2021, as part of threat intelligence of the newly discovered group, PT ESC specialists detected another successful attack (server compromise), identified a new victim, and notified the affected organization. This time, the criminals attacked a Russian company from the aviation production sector, and used a chain of ProxyShell vulnerabilities for penetration.
Read full report

Get in touch

Fill in the form and our specialists
will contact you shortly