A new attack on secure USB drives: Kaspersky reveals key trends in the Q3 APT report

While this tactic was similar to the compromise of drives that used the UTetris USB management software last year, attributed by Kaspersky to TetrisPhantom, the malicious code implanted on the drive in the latest incident was new. An analysis of the Trojanized USB management software used in this attack, as well as other trends in tools used by cybercriminal groups in attacks around the world, is provided in the latest Kaspersky Q3 APT report.

Other notable findings described in Kaspersky’s Q3 APT report include:

Asia

• Kaspersky detected new attack schemes that utilized the P8 attack framework, which was previously used to target Vietnamese organizations. Most of the infections took place in financial institutions in Vietnam, with one victim active in the manufacturing industry.

Asia, Turkiye, Europe, and Russia

• Awaken Likho is an APT campaign, active since at least July 2021, that primarily targets government organizations and contractors. To date, Kaspersky has detected more than 120 targets in Russia, India, China, Vietnam, Taiwan, Turkiye, Slovakia, the Philippines, Australia, Switzerland and the Czech Republic, among others. While previously attackers relied on the use of the legitimate remote administration tool UltraVNC, in a campaign uncovered in June 2024 (still ongoing), the attackers changed the final payload from UltraVNC to MeshAgent (another remote administration tool; it uses an open-source remote management server).

Africa & Asia

• The Scieron backdoor, a tool commonly used in cyber-espionage campaigns by the Scarab group, was detected in a new campaign that targeted a government entity in Africa and a telecom provider in Central Asia.

Middle East

• MuddyWater is an APT actor that surfaced in 2017 and has traditionally targeted countries in the Middle East, Europe, and the USA. Recently Kaspersky uncovered VBS/DLL-based implants used in intrusions by the MuddyWater APT group, which are still active today. The implants were found at multiple government and telecom entities in Egypt, Kazakhstan, Kuwait, Morocco, Oman, Syria and the UAE.
• TropicTrooper (aka KeyBoy and Pirate Panda) is an APT group that has been operating since 2011. The group’s targets have traditionally included government entities, as well as the healthcare, transportation and high-tech industries located in Taiwan, the Philippines, and Hong Kong. Kaspersky’s most recent analysis revealed that in 2024, the group conducted attacks against a government entity in Egypt. An attack component was detected that was presumably used by Chinese-speaking actors.

Russia

• In 2021, a campaign called ExCone was detected by Kaspersky, targeting government entities in Russia using vulnerabilities in the VLC media player. Later, victims were also found in Europe, Central Asia, and Southeast Asia. In 2022, spear-phishing emails started to be used as an infection vector, and an updated version of the Pangolin Trojan was deployed. In mid-July 2024, the actor turned to embedding a JavaScript loader as the initial infection vector and attacked Russian educational institutions.

LATAM & Asia

• In June, Kaspersky identified an active campaign called PassiveNeuron, targeting government entities in Latin America and East Asia using previously unknown malware. The servers were compromised before security products were installed, and the method of infection remains unknown. The implants used in this operation do not share any code similarities with known malware, so attribution to a known threat actor is not possible at this time. The campaign shows a very high level of sophistication.

“Throughout 2024, there were 3 billion local threats detected and blocked by Kaspersky globally. The compromise of software on secure USB drives is unusual, but it underscores the fact that protected local digital spaces can be compromised by sophisticated schemes. Cybercriminals constantly update their toolsets and expand the scope of their activities, broadening their targets, both in terms of the spheres targeted, and geographically. We also see more open source tools employed by APT threat actors,” comments David Emm, principal security researcher at Kaspersky.

To read the full APT Q3 2024 trends report, please visit Securelist.

Advanced persistent threats (APTs) are continuous, clandestine, and sophisticated hacking techniques used to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences. APTs are usually leveled at high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time, rather than simply "dipping in" and leaving quickly, as many black-hat attackers do during lower-level cyber assaults.

To avoid falling victim to a targeted attack, Kaspersky researchers recommend individuals and organizations:

• Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
• Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
• Implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
• Use centralized and automated solutions such as Kaspersky Next XDR Expert to enable comprehensive protection of all your assets;
• Introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform, as many targeted attacks start with phishing or other social engineering techniques.
• Update OS and software as soon as possible and do so regularly.