Threat Watch

CactusPete Threat Actor Evolved Bisonal Backdoor

CactusPete: The Advanced Persistent Threat (APT) group CactusPete has made improvements to the Bisonal backdoor, which they have recently used to attack financial and military organizations across Europe. Tracked as a likely Chinese-backed nation-state actor, the group has a record of targeting countries including Russia, Europe, Japan, and South Korea. Researchers at Kaspersky Labs, who released a report on the group’s tactics this past week, stated that the threat group typically targets sensitive data held by diplomatic and infrastructure organizations. The Bisonal Trojan has been in active development for over a decade and uses dynamic DNS to communicate with a Command and Control (C2) server. Development on the trojan has continually improved obfuscation modules, but some of the features of the malware are still not at the level of sophistication usually associated with Advanced Persistent Threats (APTs). For example, the latest version used RC4 encryption, XOR encoding and support for proxy servers, among other features. Samples of the newest version were originally identified in February 2020, and since then over 20 new samples per month have been appearing. Due to the languages used by intended targets in Europe, the threat actors also tweaked the backdoor to use hardcoded Cyrillic code during string manipulations. Past campaigns have used phishing emails for the first phase of the attack and are used in part with keyloggers and custom versions of Mimikatz to obtain passwords, maintain persistence in the affected network and steal the victim’s data.

ANALYST NOTES

Kaspersky Labs researchers noted in their report that Cactus Pete is not as sophisticated as other APTs that they are tracking. The appearance of the new version of the backdoor could be due to new support and resources the group may have received. As with many campaigns, this one is likely initiated with a spear-phishing email that includes a malicious attachment. Proper training for employees, especially those who work in industries that deal with highly sensitive information, is an important first step in preventing these attacks. Utilizing endpoint monitoring such as Binary Defense’s Managed Detection and Response (MDR) is also crucial in identifying attacks in early stages and stopping them.

More can be read here: https://www.zdnet.com/article/cactuspete-threat-group-goes-on-the-rampage-with-a-new-bisonal-backdoor/