EXECUTIVE SUMMARY
A highly organised threat actor is behind a targeted malware campaign that spans multiple sectors and regions, with a primary goal of stealing sensitive data and compromising sensitive information. The attackers have been observed targeting companies in finance, healthcare, and technology, particularly those with high-value intellectual property. The attackers use social engineering tactics to distribute malware, often disguised as cracked software versions to lure potential victims into downloading the malicious code.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly organised threat actor is behind a targeted malware campaign that spans multiple sectors and regions, with a primary goal of stealing sensitive data and compromising sensitive information. The attackers have been observed targeting companies in finance, healthcare, and technology, particularly those with high-value intellectual property. The attackers use social engineering tactics to distribute malware, often disguised as cracked software versions to lure potential victims into downloading the malicious code.[emaillocker id="1283"]
The malware infects systems by disguising itself as a legitimate software package, which is then executed by the unsuspecting user. Once inside, the malware uses advanced persistence mechanisms to ensure long-term access to the compromised system. It then begins to exfiltrate sensitive data, often encrypted to evade detection, and uses sophisticated command and control (C2) mechanisms to maintain control over the compromised system.
The attackers can also use the compromised system as a springboard to launch further attacks or distribute additional malware. This threat is significant to organisations of all sizes, particularly those in high-risk sectors. The malware's advanced persistence and exfiltration capabilities make it extremely challenging to detect and recover from, often resulting in significant data loss and reputational damage. To prevent such attacks, organisations should ensure that all software packages are sourced from trusted providers, implement robust endpoint protection, and regularly back up critical data. Regular patching and monitoring of system logs are also essential to identify and respond to potential threats in a timely manner.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1078 | Valid Accounts | — |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1562 | Impair Defenses | — |
| Command and Control | T1071 | Application Layer Protocol | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Persistence | T1053 | Scheduled Task/Job | — |
| Persistence | T1547 | Boot or Logon Autostart Execution | — |
| Lateral Movement | T1021 | Remote Services | — |
| Collection | T1005 | Data from Local System | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Command and Control | T1090 | Proxy | — |
| Initial Access | T1566 | Phishing | — |
| Defense Evasion | T1036 | Masquerading | — |
| Command and Control | T1102 | Web Service | — |
REFERENCES:
The reports contain further technical details:
https://isc.sans.edu/diary/32904