Saturday, December 7, 2024
HomeComputer SecurityWaterbug APT Hackers Hijacked Another APT Group Infrastructure to Attack Governments and...

Waterbug APT Hackers Hijacked Another APT Group Infrastructure to Attack Governments and International Organizations

Published on

SIEM as a Service

Waterbug APT Hackers used hijacked infrastructure to attack governments and international organizations through various campaigns using new and publically available malware. The group also use living off the land for executing process on the systems.

Symantec observed the targeted attack over the past year using unique tools and the campaigns hitting Europe, Latin America, and South Asia.

Multiple Campaigns

Symantec observed multiple campaigns using different toolsets on the attack campaigns, including custom malware.

- Advertisement - SIEM as a Service

The first campaign uses new malware dubbed Neptun, to target exchange servers. The Neptun malware installed on exchange servers and get commands from attackers passively. It is capable of downloading additional tools, upload stolen files, and execute shell commands.

The second campaign uses the publically available Meterpreter backdoor along with the two custom loaders, custom backdoor, and a custom Remote Procedure Call. It appears the hacker group uses Meterpreter since 2018.

The third campaign employees a new RPC backdoor that uses publicly available PowerShellRunner to run the PowerShell scripts to avoid detection.

Hacking Tools and Exploits used.

  • A custom tool that combines EternalBlue, EternalRomance, DoublePulsar, SMBTouch
  • Custom dropper malware Neptun
  • Visual Basic & PowerShell scripts
  • Publicly available tools such as RPC commands, SScan, NBTScan for scanning network
  • PsExec for lateral movement, Mimikatz for stealing credentials and Certutil.exe to decode remote files.

Symantec lists the governments and international organizations attacked by Waterbug that includes governments, international organizations, IT, and education sectors across the globe.

“Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover, during the attack campaigns customized variant of Mimikatz was downloaded Crambus-controlled network infrastructure.”

Waterbug APT Hackers

Another tool IntelliAdmin also detected on the victim’s network, which was previously used by Crambus gives more closure resemble that Waterbug group compromise the Crambus infrastructure.

“Waterbug’s frequent retooling ability demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets.”

Indicators of Compromise of all the three campaigns can be found here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself updated.

Iranian MuddyWater APT Hackers Adds New Exploits in Their Hacking Arsenal to Attack Government Networks

Iranian Based OilRig APT Hackers Owned Email Hacking Tool Leaked in Telegram

Hackers From Chinese APT-27 Group Initiated 15000 Attacks Against MySQL Servers to Compromise Enterprise Networks

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...