Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-Linked ‘CactusPete’ Hackers Successful Despite Lack of Sophistication

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

Also referred to as Karma Panda or Tonto Team and active since at least 2013, the threat actor has been mainly focused on military, diplomatic, and infrastructure targets in Asia and Eastern Europe. The adversary lacks sophistication, but has been relatively successful in attacks despite that, the security researchers say.

Attacks observed at the end of February 2020 employed a new variant of the group’s Bisonal backdoor to hit organizations in the military and financial sectors in Eastern Europe. Analysis of the malware revealed the APT released more than 20 samples per month; over 300 identical samples were used between March 2019 and April 2020.

“The target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands,” Kaspersky explains.

While the delivery method for the new attacks is yet unknown, the threat actor was previously observed leveraging spear-phishing for intrusion. The emails carried attachments attempting to exploit recently patched vulnerabilities, but leveraged other methods as well to ensure successful compromises.

Upon initial communication with the attackers’ server, the malware sends information on the victim network, including hostname, IP and MAC address; OS version; infected host time; proxy usage flags, information on whether it was executed in a VMware environment; and system default CodePage Identifier.

On the compromised system, the backdoor can execute a remote shell, silently run programs, retrieve the process list, terminate processes, upload/download/erase files, list available drives, and retrieve a list of files in a specified folder.

In addition to reconnaissance and gaining deeper access to a compromised network, the hackers use custom Mimikatz iterations and keyloggers to steal credentials, and attempt to escalate privileges.

Advertisement. Scroll to continue reading.

“Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed,” Kaspersky notes.

Other malware employed by the adversary includes the DoubleT backdoor, along with CALMTHORNE, Curious Korlia, and DOUBLEPIPE.

Despite being a medium-level group in terms of technical capabilities, CactusPete was observed using more complex code, such as ShadowPad, which suggests outside support. ShadowPad was leveraged in attacks targeting defense, energy, government, mining, and telecom entities in Asia and Eastern Europe.

The group was historically observed targeting organizations in South Korea, Japan, the US and Taiwan, but it has expanded the target list to additional Asian and Eastern European regions over the past couple of years.

“We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution,” Kaspersky concludes.

Related: Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

Related: Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

Related: Chinese Hackers Target Air-Gapped Military Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.