APT15’s New Backdoors; Two Botnets Dominate Global Spam

13 Mar 2018 - Around the Web

APT15 Targets Major U.K. Government Contractor

APT15 (aka Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon) compromised the networks of an unidentified contracting firm that provides services to the U.K. government and military and stole a variety of sensitive documents, according to NCCGroup research published over the weekend. Of particular interest, NCCGroup says that the suspected state-sponsored hacking group has added a pair of backdoors to its arsenal: one identified as RoyalCli and another known as RoyalDNS. These new backdoors round out an arsenal that already included another backdoor, BS2005, which, like RoyalCli, communicates with its command and control server (C2) using the COM interface IWebBrowser2 within Internet Explorer. RoyalDNS, on the other hand, communicates with its C2 via DNS TXT records. Once on a victim’s network, the group uses a variety of legitimate utilities to move laterally and carry out reconnaissance, including tasklist.exe, ping.exe, netstat.exe, net.exe, systeminfo.exe, ipconfig.exe, bcp.exe, and RemoteExec (similar to PSExec). The group also deploys keyloggers, Mimikatz, a network scanning and enumeration tool, WinRAR, and a customized Sharepoint data dumping tool called “spwebmember.” NCCGroup says that it discovered typographical errors in some of the group’s commands, suggesting that the attacks are not automated but rather carried out manually. Researchers posted the associated IoCs on GitHub.

Necurs and Gamut Botnets Responsible for 97 Percent of Spam

Just two botnets, Necurs and Gamut, currently dominate the spam scene, accounting for 60 and 37 percent of spam email traffic respectively, according to McAfee’s latest quarterly threat report. Beyond these, the total volume malware increased across the board, with quarter-over-quarter increases in Mac malware, mobile malware, and ransomware throughout 2017. Macro-, Javascript-, and PowerShell-enabled malware all increased quarter-over-quarter in 2016 and 2017 as well. The top three targeted sectors in 2017 were the public-sector, the healthcare-sector, and the education-sector. The report isn’t totally clear on what was the most popular malware in the fourth quarter of 2017, but it did measure which malware was most active in communicating with its C2 server: the Wapomi bootkit dominated, accounting for 51 percent of all such connections, with the Ramnit banking trojan coming in a distant second with 19 percent, and the OnionDuke backdoor taking third at 7 percent. Attacks targeting the server message block protocol were the top network attacks, accounting for 44 percent of such attacks, with browser-based attacks (15 percent) coming in at second and denials of service (10 percent) placing third.

Transform Your Siloed Security Operations into a Holistic Security Operations Program

Get in Touch Group