Thursday, March 28, 2024

5 APT Hacker Groups Attack Linux Servers, Windows and Android Platform Using RAT’s For Past 10 Years

Researchers uncovered a new cross-platform attack from 5 different APT groups that work for the Chinese Government targets the Linux servers, Windows and Android systems deployed in an organization around the globe using Remote Access Trojan’s, and the campaign remains undetected nearly a decade.

Threat APT groups are comprised of civilian contractors working in the interest of the Chinese government and they focused on the large Linux server deployed data centers that are the backbone for most sensitive enterprise network operations.

These APT attacks carry over the Linux malware that is linked with one of the largest Linux botnets that ever discovered, along with kernel-level rootkits which are extremely difficult to detect and increase the probability of the infection rate.

These groups mainly attacking the Red Hat Enterprise, CentOS, and Ubuntu Linux environments for the purposes of espionage and steal the intellectual property of the several industries across the globe.

Targeting the Linux servers has following advantages.

• Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic

• Compromising Linux database servers provides attackers a greater chance of finding valuable data like sensitive intellectual property, trade secrets, or lists of employee usernames and passwords relatively quickly

• Compromising Linux jump-boxes, aka bastion or proxy servers, erases a layer of protection typically relied upon by most corporate networks to separate internal networks from external threats

There are several malware, toolsets, the rootkits, and the infrastructure involved in this large scale APT attack.

Attackers also leveraging Android malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.

Collected evidence shows that the attackers shifted to the use of a cloud platform for command and control server and perform a data exfiltration which helps them perform their operation over trusted communication.

Four of these five groups are already known to the security community as PASSCV, BRONZE UNION (aka APT27, EMISSARY PANDA), a group tracked internally as CASPER (aka LEAD), and the original WINNTI GROUP.

A fifth APT group called as Linux splinter cell group that has been tracked as WLNXSPLINTER using a collection of backdoor called WINNTILNX toolset.

There are 3 backdoor and 2 rootkit variants that are used by these groups in this massive attack over a decade.

  • PWNLNX1 (Backdoor)
  • PWNLNX2 (Backdoor)
  • PWNLNX3 (Backdoor)
  • PWNLNX4 (Rootkit)
  • PWNLNX5 (C2 Server for both Windows and Linux malware suite)
  • PWNLNX6 (Rootkit)

Windows malware that used this in campaign attempts to elude defenders through the use of stolen adware code-signing certificates, hiding the malware in plain sight with the hopes it will be dismissed as just another blip in a nearly constant stream of adware alerts.

Researchers also found a modified ZXShell variants commonly used by BRONZE UNION (aka APT27, EMISSARY PANDA).

ZXShell variants contain several droppers that load the Windows backdoor payload which has the following functions.

APT GROUPS

Mobile Malware Division

Researchers found evidence that these APT groups also developed a Mobile Malware and powerful Remote Access Trojan for mobile devices, especially for the Android platform.

Android malware that uncovered by the researchers very closely resembles the code in a commercially available penetration testing tool which is created nearly two years back.

Upon closer examination of the groups leveraging the Linux implants, BlackBerry researchers found a number of indications within current and older C2 infrastructures that mobile implants associated with both PASSCV and CASPER likely existed.

Another interesting find is NetWire RAT, a multi-platform, commercial, off-the-shelf remote administration tool (RAT) that can be licensed on a monthly or annual basis from a company called World Wired Labs.

This RAT module legitimately utilized by system admins, network admin, incident responders, also parents who want to monitor their kids’ mobile phone activity.

But the RAT tool is one of the most pervasive RATs in use by criminal enterprises and APT groups.

BlackBerry researchers also identified several implants designated as PWNDROID5 which masqueraded as fake Adobe Flash updates for Android in a newly identified campaign designated as OPERATION ANDROIDBEACON.

John McClurg, Chief Information Security Officer at BlackBerry said “This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” You can read the full report here.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles