Multiple antivirus companies received a collection of malware samples, some of them cannot be associated with the activity of known APT groups.These malware strains did not present any similarities with malware associated with other APT groups.
Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload.
The Lambert APT (aka Longhorn APT) has been active since at least 2008, but its first samples were spotted in 2014. The group is highly sophisticated and targeted organizations worldwide using a complex cyberattack platform that could target both Windows and OSX systems.
Kaspersky named this collection of samples Purple Lambert, the new has a modular structure and its network module passively listening for a magic packet. The malicious code collects basic information about the infected system and also allows attackers to execute additional payload.
Purple Lambert implements functionality similar to, but in different ways, Gray Lambert and White Lambert, which are kernel-mode passive-listener implant.
Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.
The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and its Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.
The targets were all located in the Middle East, Europe, Asia, and Africa. On one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.