PT ESC Threat Intelligence

Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2

At the end of July 2019, we encountered an interesting piece of malware distributed by the TA505 group, and on July 22, 2019 uploaded it into ANY.RUN to put it through a dynamic analysis. Viewing the results, two anomalies attracted our attention—in addition to the tags usually displayed for TA505 ServHelper, the "netsupport" tag also appeared; additionally, the NetSupport RAT was listed among network signature events. This might seem strange at first glance, since the ServHelper backdoor already provides attackers with a significant amount of control over their victims' computers. To get a better understanding of what's going on, let's take a closer look at how the malware functions.
Read full report

PaaS, or how hackers evade antivirus software

Malware is one of the main tools of any hacking group. Depending on the level of qualification and the specifics of operation, hackers can use both publicly available tools (such as the Cobalt Strike framework) and their own developments. Creating a unique set of tools for each attack requires huge resources; therefore, hackers tend to reuse malware in different operations and also share it with other groups. The mass use of the same tool inevitably leads to its getting on the radar of antivirus companies, which, as a result, reduces its efficiency. To prevent it from happening, hackers use code packing, encryption, and mutation techniques. Such techniques can often be handled by separate tools called crypters or sometimes simply packers. In this article, we will use the example of the RTM banking trojan to discuss which packers attackers can use, how they complicate detection of the malware, and what other malware they can pack.
Read full report

Space Pirates: analyzing the tools and connections of a new hacker group

At the end of 2019, Positive Technologies Expert Security Center (PT ESC) found a phishing email aimed at a Russian aerospace enterprise. It contained a link to previously unknown malware. Our experts discovered the same malware in 2020 when investigating an information security incident at a Russian government agency. During the investigation, several new malware families using a common network infrastructure were also discovered, some of which had not previously been mentioned in open sources. In the summer of 2021, PT ESC revealed traces of compromise of another Russian aerospace enterprise. The organization was duly informed. As a result of the investigation, we found connections to the same network infrastructure on its computers. Further research made it possible to identify at least two more organizations in Russia, both partially state-owned, that were attacked using the same malware and network infrastructure. We could not unambiguously link the detected malicious activity to any known hacker group, so we gave the attackers a new name—Space Pirates. The reason for the name was the P1Rat string used in the PDB paths, and the targeting of the aerospace industry. This report describes the group's detected activity, the features of the malware it uses, as well as its connection with other APT groups.
Read full report

Positive Technologies detects a series of attacks via Microsoft Exchange Server

While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to our data, the first compromise occurred in 2021. Without additional data, we can't attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East.
Read full report

ExCobalt: GoRed, the hidden-tunnel technique

While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
Read full report

Asia's SMS stealers: 1,000 bots and one study

Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which we recently discovered and set out to study. While researching bots on Telegram, we found that many are from Indonesia. We were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so we decided to get to the bottom of this "Indonesian tsunami."
Read full report

(Un)secure development, part 2: borrowing metadata from popular packages to fake Python project ratings

We recently published an article about detecting malicious packages in the Python Package Index [ru], and since then we have been actively using the service we developed for analyzing projects. Today we want to share with you an interesting observation related to the falsification of project reputation statistics. How to inadvertently improve the reputation of your project, how common this problem is and how to automatically detect such tampering — read in this article.
Read full report

APT Cloud Atlas: Unbroken Threat

Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. The goals of the group are espionage and theft of confidential information. The group typically uses phishing emails with malicious attachments as the initial vector for their attacks. In the third quarter of 2022, during our investigation we identified a phishing campaign targeting employees of Russian government agencies. The attackers used targeted mailing based on the professional field of the recipients, even though we found no publicly available information about them. We first knew about the attackers back in 2014, when Kaspersky researchers published a report. Since then, their tools have not changed much (you can find more about them in the "Malware analysis" section). However, there has not yet been a detailed analysis and description of the functionality of these tools. In this report, we'll discuss the main techniques of the Cloud Atlas group, and take an in-depth look at the tools they use.
Read full report

Space Pirates: a look into the group's unconventional techniques, new attack vectors, and tools

At the end of 2019, the team at the Positive Technologies Expert Security Center (PT ESC) discovered a new cybercrime group, which they dubbed Space Pirates. It had been active since at least 2017. The first-ever comprehensive research paper describing the group saw light in early 2022. The Space Pirates group have since stepped up attacks on Russian companies: we have come across the group frequently while investigating cyberattacks in the past year. They have hardly changed their tactics, but they have developed new tools and improved their old ones. The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks. Over the year, at least 16 organizations have been attacked in Russia and one in Serbia. Some of the new victims that we identified are Russian and Serbian government and educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and infosec companies.
Read full report

Hellhounds: operation Lahat

In 2023, our Positive Technologies computer security incident response team (PT CSIRT) discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS. However, the sample we found on the victim’s host was a new modification of the trojan, which the adversaries altered in such a way as to make it harder to detect and analyze. As far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia. Remarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive Technologies MaxPatrol products.
Read full report

Get in touch

Fill in the form and our specialists
will contact you shortly