CactusPete: The Advanced Persistent Threat (APT) group CactusPete has made improvements to the Bisonal backdoor, which they have recently used to attack financial and military organizations across Europe. Tracked as a likely Chinese-backed nation-state actor, the group has a record of targeting countries including Russia, Europe, Japan, and South Korea. Researchers at Kaspersky Labs, who released a report on the group’s tactics this past week, stated that the threat group typically targets sensitive data held by diplomatic and infrastructure organizations. The Bisonal Trojan has been in active development for over a decade and uses dynamic DNS to communicate with a Command and Control (C2) server. Development on the trojan has continually improved obfuscation modules, but some of the features of the malware are still not at the level of sophistication usually associated with Advanced Persistent Threats (APTs). For example, the latest version used RC4 encryption, XOR encoding and support for proxy servers, among other features. Samples of the newest version were originally identified in February 2020, and since then over 20 new samples per month have been appearing. Due to the languages used by intended targets in Europe, the threat actors also tweaked the backdoor to use hardcoded Cyrillic code during string manipulations. Past campaigns have used phishing emails for the first phase of the attack and are used in part with keyloggers and custom versions of Mimikatz to obtain passwords, maintain persistence in the affected network and steal the victim’s data.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in