A complex toolset of implants: In addition to Cobalt Strike, the group uses various other malware payloads and command-and-control (C2) frameworks, including VShell, Havoc, SparkRat, and Sliver. On compromised web servers, the attackers deploy a variety of web shells, including Behinder, Neo-reGeorg, and Godzilla.On Linux servers the group has been seen deploying a rootkit dubbed ShadowGuard, which leverages the Extended Berkeley Packet Filter (eBPF), a powerful feature for running sandboxed code inside the Linux kernel.”eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space,” the researchers said. “eBPF programs do not appear as separate modules. Instead, they execute inside the kernel’s BPF virtual machine, making them inherently stealthy. This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.”ShadowGuard appears to be a tool that’s unique to this group and allows them to hide processes, files, and directories.To conceal outgoing network traffic from victim networks, the attackers use a variety of relay and proxy servers running tunneling software like the GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX, but their C2 servers are typically hosted on virtual private servers (VPS) from the US, UK, and Singapore.
Increase in targeting: Palo Alto believes the group is expanding its operations because it has scanned networks of organizations from 155 countries for known vulnerabilities since October. The scans appear to be targeted on IP addresses belonging to government infrastructure and specific targets of interest.For example, during the US government shutdown that began in October, the group started scanning the infrastructure of governments in the Americas, including in Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama, and Trinidad and Tobago. The researchers believe the group has already compromised entities in Bolivia, Brazil, Mexico, Panama, and Venezuela.The group seems to time its targeting to certain events. For example, when the president of Czechia met with the Dalai Lama in August, the group immediately started scanning the computer infrastructure belonging to the Czech Army, police, parliament, and presidency, as well as its ministries of interior, finance, and foreign affairs.”TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide,” Palo Alto said. “The group primarily targets government ministries and departments for espionage purposes. We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.”The company’s report includes indicators of compromise, including IP addresses, domain names, and file hashes for the implants used by the group.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4128378/new-apt-group-breached-gov-and-critical-infrastructure-orgs-in-37-countries.html
