Security researchers from The Threat Hunter Team at Symantec have uncovered a new espionage campaign aimed at organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China.
The campaign has been attributed to an APT group known as Palmerworm (BlackTech), which has a long history of targeting companies in East Asia. While Symantec did not attribute the Palmerworm’s activity to any specific country, a previous report from Taiwanese officials suggests the group is linked to the Chinese government.
According to the researchers, the attacks started in 2019 and continued into 2020, targeting organizations in the media, construction, engineering, electronics, and finance sectors with the goal of gathering information of interest to the attackers.
In this recent campaign the team observed the Palmerworm hackers leverage dual-use tools such as Putty, PSExec, SNScan, and WinRAR, as well as custom malware, including the Consock, Waship, Dalwit, and Nomri backdoors, which were not seen in previous attacks by the group. Malware used by Palmerworm in the past has included the Kivars and Pled backdoors.
The use of the dual-use tools allows the hackers to gain access to victim systems without the need to create complicated custom malware that can more easily be linked back to a specific group. The attackers also have been observed using stolen code-signing certificates to sign their payloads. The researchers said they were not able to identify the infection vector used to gain initial access to victims’ networks, but in the past the group used spear phishing emails for this purpose.
Although the first activity associated with the recent campaign started in August 2019, the attackers were able to maintain presence in the compromised networks for a long time.
“The group remained active on the network of the media company for a year, with activity on some machines there seen as recently as August 2020,” the researchers said. “Palmerworm also maintained a presence on the networks of a construction and a finance company for several months. However, it spent only a couple of days on the network of a Japanese engineering company in September 2019, and a couple of weeks on the network of an electronics company in March 2020. It spent approximately six months on one of the U.S.-based machines on which we observed activity.”
“APT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics making their activity ever harder to detect, and underlining the need for customers to have a comprehensive security solution in place that can detect this kind of activity,” Symantec concluded.