30 September 2020

Palmerworm cyber-spies hide in compromised networks for months


Palmerworm cyber-spies hide in compromised networks for months

Security researchers from The Threat Hunter Team at Symantec have uncovered a new espionage campaign aimed at organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China.

The campaign has been attributed to an APT group known as Palmerworm (BlackTech), which has a long history of targeting companies in East Asia. While Symantec did not attribute the Palmerworm’s activity to any specific country, a previous report from Taiwanese officials suggests the group is linked to the Chinese government.

According to the researchers, the attacks started in 2019 and continued into 2020, targeting organizations in the media, construction, engineering, electronics, and finance sectors with the goal of gathering information of interest to the attackers.

In this recent campaign the team observed the Palmerworm hackers leverage dual-use tools such as Putty, PSExec, SNScan, and WinRAR, as well as custom malware, including the Consock, Waship, Dalwit, and Nomri backdoors, which were not seen in previous attacks by the group. Malware used by Palmerworm in the past has included the Kivars and Pled backdoors.

The use of the dual-use tools allows the hackers to gain access to victim systems without the need to create complicated custom malware that can more easily be linked back to a specific group. The attackers also have been observed using stolen code-signing certificates to sign their payloads. The researchers said they were not able to identify the infection vector used to gain initial access to victims’ networks, but in the past the group used spear phishing emails for this purpose.

Although the first activity associated with the recent campaign started in August 2019, the attackers were able to maintain presence in the compromised networks for a long time.

“The group remained active on the network of the media company for a year, with activity on some machines there seen as recently as August 2020,” the researchers said. “Palmerworm also maintained a presence on the networks of a construction and a finance company for several months. However, it spent only a couple of days on the network of a Japanese engineering company in September 2019, and a couple of weeks on the network of an electronics company in March 2020. It spent approximately six months on one of the U.S.-based machines on which we observed activity.”

“APT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics making their activity ever harder to detect, and underlining the need for customers to have a comprehensive security solution in place that can detect this kind of activity,” Symantec concluded.

Back to the list

Latest Posts

Microsoft disrupts 94% of TrickBot's command and control servers

Microsoft disrupts 94% of TrickBot's command and control servers

Microsoft said 120 of the 128 servers identified as Trickbot infrastructure around the world were eliminated.
21 October 2020
NSA details the Top 25 vulnerabilities actively exploited by Chinese nation-state hackers

NSA details the Top 25 vulnerabilities actively exploited by Chinese nation-state hackers

All of the listed CVEs are already publicly known and have patches available.
21 October 2020
Google patches Chrome zero day bug

Google patches Chrome zero day bug

The vulnerability is described as a heap buffer overflow bug in Freetype rendering engine.
21 October 2020
Featured vulnerabilities
Multiple vulnerabilities in Adobe Animate
High Patched | 21 Oct, 2020
Multiple vulnerabilities in Opera Touch
Medium Patched | 21 Oct, 2020
Spoofing attack in Opera Mini
Medium Not Patched | 21 Oct, 2020
Spoofing attack in Apple Safari
Medium Not Patched | 21 Oct, 2020
Spoofing attack in RITS Browser
Medium Not Patched | 21 Oct, 2020