Kaspersky recent Q3 APT trend report highlights the significant growth. APT actors are continuously keep evolving and changing their TTP.
Report on Chinese Activities
- A41APT has been observed with updated versions of SodaMaster and Ecipekac and a new malicious fileless IIS module dubbed IISBack.
- DiceyF, spotted targeting online gambling platform development studios and IT recruitment organizations in Hong Kong, China Philippines and Vietnam.
- KeyPlug, a modular backdoor targets high-profile victims in Asian countries. Attributed malware and the infrastructure to a previously known APT41 group.
- APT10, seen using the new version of LODEINFO and a downloader shellcode dubbed DOWNIISSA.
Report on Middle East activities
- FramedGolf, a newly discovered IIS backdoor, exploited ProxyLogon-type vulnerabilities on Exchange servers to target Iranian organizations.
- SilentBreak group used two new implants named SoleExecutor and Powerpol of SoleDragon malware.
- A new spyware SandStrike was used by a threat group to infect the Android devices of a religious minority in Iran.
- DeftTorero uses Explosive RAT as a final payload.
Report on Southeast Asia activities
- Activities of the Lazarus group seen with the DeathNote cluster. The group used an updated Racket Downloader to deploy additional malware for further post-exploitation activity.
- The Tropic Trooper APT was found to have links with the Antlion campaign and it targets the finance sector, tech hardware, and semiconductors industry, as well as a political entity in East and Southeast Asia.
- Kimsuky and Dropping Elephant used the same attack methods with frequently updated tools to gather intelligence data.
- North Korean state-sponsored APT Andariel has been using Maui ransomware to target the healthcare sector.
- The TTP of HotCousin were found very similar to those used by The Dukes, affecting diplomatic and government organizations and foreign affairs ministries in Europe, Asia, Africa, and South America.
APT groups have remained consistent with their targets and TTPs, some have updated their toolsets and extended the scope of their activities. The diversified approach of APT groups of these APT artifacts highlights their key developments over time.