According to a new Q3 2021 APT Trends report published by Kaspersky, the latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN and COPPERHEDGE to attack the defence industry an IT asset monitoring solution vendor based in Latvia, and a South Korean think tank.
The MATA malware framework could target Windows, Linux, and macOS operating systems, the malware framework implements a wide range of features that allow attackers to fully control the infected systems to carry out a multi – stage infection chain in the loading of additional plugins which allows access to a wealth of information including files stored on the device.
Kaspersky lab researchers informed that North Korea related the Lazarus APT group is now targeting the IT supply chain. The Lazarus APT group’s activity increased in 2014 and 2015, and its members mostly used custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and has been involved in cyber espionage campaigns as well as sabotage activities aimed at destroying data and disrupting systems.
“This quarter we identified several malicious infection documents, droppers and implants that are typical of Gamaredon; and which may suggest an ongoing malicious campaign against the Ukrainian government, possibly active since May. We could not precisely identify the associated infection chains, as we could only retrieve parts of them from any live exploitation context. However, we were able to attribute the activity with medium to high confidence to Gamaredon. Our private report gave details about the various droppers along with decoder scripts, as well as analysis of the DStealer backdoor and the large infrastructure we observed associated with the campaign.” reads the blogpost.
DeathNote (aka Operation Dream Job) malware cluster, which is an updated variant of the BlindingCan RAT. The use of the BlindingCan RAT was first documented in August 2020 by the United States Cybersecurity and Infrastructure Security Agency (CISA). The BlindingCan was used in attacks on US and foreign companies involved in the military, defence, and aerospace industries.
The BLINDINGCAN RAT implements the following built-in functions-:
- Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
- Get operating system (OS) version information
- Get Processor information
- Get system name
- Get local IP address information
- Get the victim’s media access control (MAC) address.
- Create, start, and terminate a new process and its primary thread
- Search, read, write, move, and execute files
- Get and modify file or directory timestamps
- Change the current directory for a process or file
- Delete malware and artifacts associated with the malware from the infected system.
Ariel Jungheit of Kaspersky’s Global Research and Analysis Team (GReAT) Concluded about the risks of supply chain attacks such as the SolarWinds hack and warned of nation-state actors investing in such capabilities.
“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year, With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”