Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-Linked ‘CactusPete’ Hackers Successful Despite Lack of Sophistication

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

Also referred to as Karma Panda or Tonto Team and active since at least 2013, the threat actor has been mainly focused on military, diplomatic, and infrastructure targets in Asia and Eastern Europe. The adversary lacks sophistication, but has been relatively successful in attacks despite that, the security researchers say.

Attacks observed at the end of February 2020 employed a new variant of the group’s Bisonal backdoor to hit organizations in the military and financial sectors in Eastern Europe. Analysis of the malware revealed the APT released more than 20 samples per month; over 300 identical samples were used between March 2019 and April 2020.

“The target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands,” Kaspersky explains.

While the delivery method for the new attacks is yet unknown, the threat actor was previously observed leveraging spear-phishing for intrusion. The emails carried attachments attempting to exploit recently patched vulnerabilities, but leveraged other methods as well to ensure successful compromises.

Upon initial communication with the attackers’ server, the malware sends information on the victim network, including hostname, IP and MAC address; OS version; infected host time; proxy usage flags, information on whether it was executed in a VMware environment; and system default CodePage Identifier.

On the compromised system, the backdoor can execute a remote shell, silently run programs, retrieve the process list, terminate processes, upload/download/erase files, list available drives, and retrieve a list of files in a specified folder.

In addition to reconnaissance and gaining deeper access to a compromised network, the hackers use custom Mimikatz iterations and keyloggers to steal credentials, and attempt to escalate privileges.

“Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed,” Kaspersky notes.

Other malware employed by the adversary includes the DoubleT backdoor, along with CALMTHORNE, Curious Korlia, and DOUBLEPIPE.

Despite being a medium-level group in terms of technical capabilities, CactusPete was observed using more complex code, such as ShadowPad, which suggests outside support. ShadowPad was leveraged in attacks targeting defense, energy, government, mining, and telecom entities in Asia and Eastern Europe.

The group was historically observed targeting organizations in South Korea, Japan, the US and Taiwan, but it has expanded the target list to additional Asian and Eastern European regions over the past couple of years.

“We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution,” Kaspersky concludes.

Related: Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

Related: Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

Related: Chinese Hackers Target Air-Gapped Military Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.