APT Group Targeting Governmental Agencies in East Asia

guest · Dec 10, 2020

Avast Identifies APT Group Targeting Government Agencies in East Asia
The research indicates that the APT group LuckyMouse could be behind the attack
December 9, 2020
https://www.prnewswire.com/news-rel...vernment-agencies-in-east-asia-301189220.html

PRAGUE, Dec. 9, 2020 /PRNewswire/ -- Avast (LSE:AVST), a global leader in digital security and privacy products, has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.

Avast Threat Intelligence researchers found that the APT group planted backdoors and keyloggers to gain long-term access to government networks belonging to the government of Mongolia. Avast researchers consider LuckyMouse, also known as EmissaryPanda and APT27, is likely to be behind the APT campaign. The group, which has previously attacked targets in the area, is well-known for going after national resources and political information on near neighbors.
Click to expand...

Following research and analysis, Avast researchers noticed the group has updated their tactics. For this attack, the group used both keyloggers and backdoors to upload a variety of tools that they used to scan the target network and dump credentials. They used this to access sensitive government data.

A detailed technical summary can be found on the Avast Threat Intelligence blog Decoded.
Click to expand...

APT Group Targeting Governmental Agencies in East Asia

According to our local telemetries, we consider that the government institutions were attacked in two ways. One was through a vulnerable company who is providing services for these agencies, and the other was through an email spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882.

There are many tactics that are consistent with other reports of LuckyMouse; nevertheless, we are also seeing some previously undocumented tactics indicating that the actors have updated their toolset with Polpo and LuckyBack backdoors. Our analysis below will highlight those new tactics.
Click to expand...

guest · Dec 10, 2020

Operation StealthyTrident: corporate software under attack
LuckyMouse, TA428, HyperBro, Tmanger and ShadowPad linked in Mongolian supply-chain attack
December 10, 2020
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/

ESET researchers discovered that chat software called Able Desktop, part of a business management suite popular in Mongolia and used by 430 government agencies in Mongolia (according to Able), was used to deliver the HyperBro backdoor (commonly used by LuckyMouse), the Korplug RAT (also known as PlugX), and a RAT called Tmanger (which was first documented by NTT Security and was used during Operation Lagtime IT campaigns attributed to TA428 by Proofpoint). A connection with the ShadowPad backdoor, which is now used by at least five different threat actors, was also found.

Two different trojanized installers, as well as a likely compromised update system, were used to deliver the payloads. According to our telemetry we think the Able update system has been compromised since at least June 2020 and trojanized installers delivered since at least May 2018
Click to expand...

Additionally, yesterday, Avast published a blogpost documenting a campaign targeting government agencies and a national data center in Mongolia. During that campaign, the attackers compromised an unknown company that was providing government institutions in East Asia and leveraged that compromise to deliver HyperBro by email. We believe that compromised company was Able [...]

We called this campaign Operation StealthyTrident because the attackers make extensive use of a three-pronged “trident” side-loading technique.
Click to expand...

Conclusion
ESET Research discovered a campaign targeting Mongolian organizations that relied on compromised Able Desktop installers and compromises to the Able update system to deliver HyperBro, Korplug and Tmanger malware.

This campaign shows a connection with the ShadowPad backdoor, as we observed network infrastructure overlaps between the ShadowPad C&C network infrastructure and one of the Tmanger C&C addresses.
Click to expand...

Minimalist · Apr 29, 2021

Prime targets: Governments shouldn’t go it alone on cybersecurity

Earlier this year, a well-known APT group dubbed LuckyMouse (aka Emissary Panda, APT27) began exploiting several zero-day Microsoft Exchange Server vulnerabilities. Its end goal? Cyberespionage across multiple government networks in the Middle East and wider organizations in Central Asia. The group used this email server access, and the compromise of Microsoft SharePoint, to deploy a newly updated modular toolkit known as SysUpdate. As ESET explains in a new report, it has been designed to provide on-demand malicious capabilities, while taking great care to resist analysis.
Click to expand...

https://www.welivesecurity.com/2021...nments-shouldnt-go-it-alone-on-cybersecurity/

Log in or Sign up

APT Group Targeting Governmental Agencies in East Asia

guest Guest

guest Guest

Minimalist Registered Member

Log in or Sign up

APT Group Targeting Governmental Agencies in East Asia

guest Guest

guest Guest

Minimalist Registered Member

Useful Searches