CactusPete APT Hones Toolset, Resurfaces with New Espionage Targets

The China-based APT known as CactusPete has returned with a new campaign aimed at military and financial targets in Eastern Europe, which is a new geography for the group’s victimology, according to researchers. The group also used a fresh variant of the Bisonal backdoor, which allows the attackers to steal information, execute code on target machines and perform lateral movement inside a network.

The activity, which Kaspersky tracked through the end of April, involved multiple sample versions of Bisonal, though these were nearly identical to each other. The samples have been compiled rapidly, with more than 20 of them per month appearing in the wild, the firm found.

“This underlines the speed of CactusPete’s development,” noted Kaspersky researcher Konstantin Zykov, in a blog post on Thursday. He added that the backdoor was likely delivered to targets via spear-phishing emails with attachments containing exploits for known vulnerabilities, according to the analysis.

On the technical side, the malware is fairly straightforward: Once the malware executes, it connects to a hard-coded command-and-control server (C2) using unmodified HTTP-based protocol.

“The request-and-response body are RC4-encrypted, and the encryption key is also hardcoded into the sample,” according to Zykov. “As the result of the RC4 encryption, it may contain binary data, [and] the malware additionally encodes it in Base64, to match the HTTP specification.”

Once attached to the C2, Bisonal harvests various machine-fingerprint information, such as hostname, IP and MAC address; Windows version; and the time set on the infected host, and sends it on. After that, it lies in wait on the target machine, occasionally pinging the C2 to see if there are any commands for it to carry out. In his analysis, Zykov foundthat Bisonal’s capabilities include executing a remote shell; silently starting a program; terminating any process; uploading, downloading or deleting files; and retrieving other data, like a list of available drives, a filelist of a specified folder or a list of processes.

“This set of remote commands helps the attackers study the victim environment for lateral movement and deeper access to the target organization,” Zykov explained. “The group continues to push various custom Mimikatz variants and keyloggers for credential harvesting purposes, along with privilege-escalation malware.”

He added, “If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information [gathered] could be very sensitive indeed.”

CactusPete (also known as Karma Panda or Tonto Team) is a Chinese-speaking APT group that has been publicly known since at least 2013, according to the blog post. Zykov categorizes the group’s technical capabilities as historically “medium-level,” though that appears to be changing. For instance, in late 2019 and 2020, CactusPete started to deploy ShadowPad malware, which has been seen in the past used in supply-chain attacks.

“They appear to have received support and have access to more complex code like ShadowPad,” Zykov noted, which the group used against government organizations, energy, mining, defense bodies and telecom companies.

In addition to adding better tools, the Chinese-speaking APT has expanded its geographic focus as well, according to the researcher. Typically, CactusPete has collected victims in Japan, South Korea, Taiwan and the U.S. More recent campaigns in 2020 show that the group has shifted towards other Asian and Eastern European organizations.

For instance, a modified DoubleT backdoor campaign targeting telecom and governmental organizations and other victims in new parts of Asia and Eastern Europe was spotted this year.

“The group does continuously modify the payload code, studies the suggested victim in order to craft a trustworthy phishing email, sends it to an existing email address in the targeted company and makes use of new vulnerabilities and other methods to inconspicuously deliver the payload once an attachment has been opened,” Zykov said, suggesting that CactusPete is developing into a larger threat to keep an eye on.

That said, the group’s is still relying on less sophisticated tools, he added, as evidenced by Bisonal. For instance, in terms of functionality, “the Bisonal code we analyzed is not that advanced,” Zykov noted. “Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution…The infection occurs not because of advanced technologies used during the attack, but because of those who view the phishing emails and open the attachments.”

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape_, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now._