Saturday, December 7, 2024
HomeCyber Attack5 APT Hacker Groups Attack Linux Servers, Windows and Android Platform...

5 APT Hacker Groups Attack Linux Servers, Windows and Android Platform Using RAT’s For Past 10 Years

Published on

SIEM as a Service

Researchers uncovered a new cross-platform attack from 5 different APT groups that work for the Chinese Government targets the Linux servers, Windows and Android systems deployed in an organization around the globe using Remote Access Trojan’s, and the campaign remains undetected nearly a decade.

Threat APT groups are comprised of civilian contractors working in the interest of the Chinese government and they focused on the large Linux server deployed data centers that are the backbone for most sensitive enterprise network operations.

These APT attacks carry over the Linux malware that is linked with one of the largest Linux botnets that ever discovered, along with kernel-level rootkits which are extremely difficult to detect and increase the probability of the infection rate.

- Advertisement - SIEM as a Service

These groups mainly attacking the Red Hat Enterprise, CentOS, and Ubuntu Linux environments for the purposes of espionage and steal the intellectual property of the several industries across the globe.

Targeting the Linux servers has following advantages.

• Compromising Linux web servers allows for the exfiltration of massive amounts of data that can be obscured within the high volume of daily web traffic

• Compromising Linux database servers provides attackers a greater chance of finding valuable data like sensitive intellectual property, trade secrets, or lists of employee usernames and passwords relatively quickly

• Compromising Linux jump-boxes, aka bastion or proxy servers, erases a layer of protection typically relied upon by most corporate networks to separate internal networks from external threats

There are several malware, toolsets, the rootkits, and the infrastructure involved in this large scale APT attack.

Attackers also leveraging Android malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.

Collected evidence shows that the attackers shifted to the use of a cloud platform for command and control server and perform a data exfiltration which helps them perform their operation over trusted communication.

Four of these five groups are already known to the security community as PASSCV, BRONZE UNION (aka APT27, EMISSARY PANDA), a group tracked internally as CASPER (aka LEAD), and the original WINNTI GROUP.

A fifth APT group called as Linux splinter cell group that has been tracked as WLNXSPLINTER using a collection of backdoor called WINNTILNX toolset.

There are 3 backdoor and 2 rootkit variants that are used by these groups in this massive attack over a decade.

  • PWNLNX1 (Backdoor)
  • PWNLNX2 (Backdoor)
  • PWNLNX3 (Backdoor)
  • PWNLNX4 (Rootkit)
  • PWNLNX5 (C2 Server for both Windows and Linux malware suite)
  • PWNLNX6 (Rootkit)

Windows malware that used this in campaign attempts to elude defenders through the use of stolen adware code-signing certificates, hiding the malware in plain sight with the hopes it will be dismissed as just another blip in a nearly constant stream of adware alerts.

Researchers also found a modified ZXShell variants commonly used by BRONZE UNION (aka APT27, EMISSARY PANDA).

ZXShell variants contain several droppers that load the Windows backdoor payload which has the following functions.

APT GROUPS

Mobile Malware Division

Researchers found evidence that these APT groups also developed a Mobile Malware and powerful Remote Access Trojan for mobile devices, especially for the Android platform.

Android malware that uncovered by the researchers very closely resembles the code in a commercially available penetration testing tool which is created nearly two years back.

Upon closer examination of the groups leveraging the Linux implants, BlackBerry researchers found a number of indications within current and older C2 infrastructures that mobile implants associated with both PASSCV and CASPER likely existed.

Another interesting find is NetWire RAT, a multi-platform, commercial, off-the-shelf remote administration tool (RAT) that can be licensed on a monthly or annual basis from a company called World Wired Labs.

This RAT module legitimately utilized by system admins, network admin, incident responders, also parents who want to monitor their kids’ mobile phone activity.

But the RAT tool is one of the most pervasive RATs in use by criminal enterprises and APT groups.

BlackBerry researchers also identified several implants designated as PWNDROID5 which masqueraded as fake Adobe Flash updates for Android in a newly identified campaign designated as OPERATION ANDROIDBEACON.

John McClurg, Chief Information Security Officer at BlackBerry said “This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” You can read the full report here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...