Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Two APTs Used Same Zero-Day to Target Individuals in Europe

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.

Dubbed by Microsoft PROMETHIUM and NEODYMIUM – the company assigns chemical element names to threat actors – the groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.

The attacks, spotted in early May, leveraged a Flash Player exploit (CVE-2016-4117) that Adobe patched on May 12. The groups used the same exploit at the same time, before it was publicly disclosed, and against the same type of targets.

The group tracked as PROMETHIUM has been active since at least 2012. In the attacks observed by Microsoft, the actor sent out links via instant messaging applications. The links pointed to documents set up to exploit CVE-2016-4117 in an effort to deliver a piece of malware dubbed Truvasys.

Truvasys has been mainly observed in western European countries, but it has been configured to target devices with Turkish locale settings (i.e. parameters that define the user’s language and region). This indicates that the attackers were particularly interested in Turkish citizens living in Turkey and western European countries.

In some cases, the attackers also delivered a piece of malware named Myntor, but Microsoft has not been able to determine the criteria for pushing this second threat onto a victim’s computer.

PROMETHIUM’s activities have also been analyzed by Kaspersky Lab, which named the group and its malware StrongPity. In the attacks observed by the security firm, the actor used watering holes and poisoned application installers to deliver their malware. Kaspersky noted in its analysis that StrongPity’s techniques were similar to the ones of Russia-linked threat actor Crouching Yeti (aka Energetic Bear and Dragonfly).

NEODYMIUM also leveraged the same CVE-2016-4117 exploit in early May, before its existence was disclosed. The attackers used spear-phishing emails carrying malicious documents to deliver their malware.

Advertisement. Scroll to continue reading.

This group has used a backdoor, dubbed by Microsoft Wingbird, that is very similar to the notorious government-grade commercial spyware FinFisher. Researchers believe Wingbird is a relatively new version of FinFisher.

“The publisher, FinFisher GmbH, claims that it sells the software exclusively to government agencies for use in targeted and lawful criminal investigations,” Microsoft said. “The apparent use of a version of FinFisher suggests that the exploit and the spear phishing campaign that delivered it were the work of an attack group probably connected in some way to a state actor.”

More than 80 percent of NEODYMIUM victims spotted by Microsoft were located in Turkey, but infections were also detected in the U.S., Germany and the U.K. The company pointed out that Wingbird has only been used to target individuals, not devices that are part of an organization’s network.

Additional details on PROMETHIUM and NEODYMIUM, including indicators of compromise (IoC), are available in Microsoft’s latest Security Intelligence Report.

Related: Pawn Storm Group Targets Turkey

Related: Turkey to Probe Massive ‘Personal Data Leak’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.