A nation-state threat actor was observed using cryptocurrency miners to avoid attracting too much attention and establish persistence in targeted networks, Microsoft reported on Monday.
Typically associated with cybercrime activities, these miners cause low-priority alerts, especially since they are not sophisticated threats, and security teams don’t treat them with high urgency.
This is exactly why a nation-state actor tracked by Microsoft as BISMUTH, which shows a series of similarities with a Vietnam-linked group named OceanLotus, adopted crypto-miners in campaigns running from July to August 2020. The attacks targeted private and government organizations in France and Vietnam.
Active since at least 2012, BISMUTH was observed running complex cyber-espionage attacks targeting governments, multinational corporations, the education and financial services sectors, and human and civil rights entities.
The group is known for the use of both custom and open-source tools and for leveraging techniques ranging from typical to more advanced, mainly focused on setting up continuous monitoring and espionage and in stealing data of interest.
BISMUTH’s use of coin miners is consistent with its methods of blending in. The attacks involved the use of spear-phishing emails specifically tailored for the target, and the heavy use of DLL side-loading (leveraging copies of legitimate software, such as outdated versions of Microsoft Defender Antivirus, Word 2007, Sysinternals DebugView, and a McAfee on-demand scanner).
“If we learned anything from ‘commodity’ banking Trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively,” Microsoft notes.
Spear-phishing emails were sent to a single recipient at each target organization. The group would also correspond with some targets before attempting to trick them into opening malicious attachments.
Once it has compromised a network, the adversary performs extensive discovery (this stage could take up to a month) before moving laterally to high-value targets, such as servers. Evasive PowerShell scripts are used to ensure the activity remains undetected, along with KerrDown, an exclusive, custom BISMUTH malware family.
Information the adversary would collect included directory forest, domain organizational unit (OU) data, credentials, and domain trust information. The group would also ping databases and file servers containing high-value information and would drop a Cobalt Strike beacon and set up a scheduled task for persistence.
Targets in Vietnam included organizations such as former state-owned enterprises (SOEs), entities owning significant portions of former SOEs, and organizations that conduct transactions with government agencies in Vietnam.
“Although the group’s specific objectives for these recent attacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of broader espionage goals,” Microsoft notes.
Related: Vietnam-Linked Cyberspies Use New macOS Backdoor in Attacks
Related: PhantomLance: Vietnamese Cyberspies Targeted Android Users for Years
Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China
