Kaspersky uncovers new targeted campaign against financial and military organizations in Eastern Europe

Woburn, MA – August 13, 2020 – Using Kaspersky Threat Attribution Engine, Kaspersky researchers were able to link more than 300 samples of a backdoor called Bisonal to a campaign by the advanced persistent threat actor (APT) CactusPete, a cyberespionage group active since at least 2012. This latest campaign has focused on military and financial targets in Eastern Europe and highlights the group’s rapid development.

CactusPete, also known as Karma Panda or Tonto Team, is a cyberespionage group that has been active since at least 2012. This time, they’ve upgraded their backdoor to target organization in the military and financial sectors in Eastern Europe, most likely in an effort to gain access to confidential information. The speed at which the new malware samples are being created suggest the group is rapidly developing. Organizations in the region should be on alert.

This most recent wave of activity was first noticed by Kaspersky researchers in February 2020 when they spotted an updated version of the group’s Bisonal backdoor. They linked this sample with more than 300 others in the wild using Kaspersky Threat Attribution Engine, a tool for analyzing malicious code for similarities with code deployed by known threat actors, in order to determine the group behind an attack.

All 300 samples appeared between March 2019 and April 2020, a pace of about 20 samples per month, which underscores the fact that CactusPete is developing rapidly. The group has continued to refine its capabilities, gaining access to more sophisticated code, like ShadowPad in 2020.

The functionality of the malicious payload suggests the group is after highly sensitive information. Once installed on the victim’s device, the Bisonal backdoor it uses allows the group to silently start various programs, terminate any processes, upload/download/delete files, and retrieve a list of available drives. In addition, as the operators move deeper into the infected system, they deploy keyloggers to harvest credentials and download privilege escalation malware to gradually gain more and more control over the system.

It’s unclear how the backdoor is initially downloaded in this latest campaign. In the past, CactusPete has primarily relied on spear-phishing with emails that contain malicious attachments. If the attachment is opened, then the device becomes infected.

“CactusPete is a rather interesting APT group because it’s actually not that advanced—the Bisonal backdoor included,” said Konstantin Zykov, senior security researcher at Kaspersky.

“Their success comes not from sophisticated technology or complex distribution and obfuscation tactics, but from a successful application of social engineering tactics. They are able to succeed in infecting high-level targets because their victims click on the phishing emails and open the malicious attachments. This is a great example of why phishing continues to be such an effective method for launching cyber attacks and why it’s so important for companies to provide their employees with training on how to spot such emails and stay up-to-date on the latest threat intelligence so that they can spot an advanced actor.”

Learn more about CactusPete’s latest activity on Securelist.

To protect your institutions from CactusPete and other APTs, Kaspersky experts recommend:

• Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
• Provide your staff with basic cybersecurity hygiene training, since many targeted attacks start with phishing or other social engineering techniques. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails.
• To quickly link new malicious samples with known attack actors, implement Kaspersky Threat Attribution Engine.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.