The Poseidon’s Domain

At The SAS 2016, Kaspersky Lab researchers discussed the newly discovered Poseidon Group. A custom APT boutique chasing commercially valuable data

Poseidon — a custom-tailored malware boutique unveiled at #theSAS2016

Long gone are the days when hackers would make malware just for fun. Nowadays malware is there not to simply cripple a PC, as it once was, but rather to make money for those who have created and infected your computer with it. Cybercrime is an industry unto itself with both large and small players. Our GReAT experts have recently discovered another player in the space, which they have dubbed the Poseidon Group. Their research on this group was presented at the Security Analyst Summit 2016.

Poseidon — a custom-tailored malware boutique unveiled at #theSAS2016

While the research was presented in 2016, the group is hardly a new player. Campaigns from this group seem to have been active since 2005. The first sample that was found is dated back to 2001 Poseidon targets only Windows-based computers ranging from Windows 95 to Windows 8.1 and Windows Server 2012 in the latest samples discovered. The group has a special crush on the domain-based networks, which are typical for big companies and enterprises.

Poseidon — a custom-tailored malware boutique unveiled at #theSAS2016

How Poseidon strikes

The attacks usually started with spear fishing — which is a term for common phishing, targeting certain individuals and not involving any mass spam campaigns. Usually it means that criminals turn to social engineering to convince the victim to open a malicious letter.

Once the victim has download the malicious file — usually a DOC or a RTF document which contains embedded malware — their computers are compromised. Interestingly enough the Poseidon’s toolkit displays awareness of many anti-viruses and tries to either hide from them or attack these processes as a means of self-defense.

Then malware installed on the PC establishes a connection with a command & control server. The attackers perform a lateral movement, collecting a lot of data and seeking a way to leverage access privileges and to map the network in order to find the exact PC they are looking for. Their main target is usually the Windows Domain Control server and their main goal is stealing intellectual property, trade secrets and other commercially important data.

These attacks are highly customized. In spite the fact that the initial stage is usually the same, all that happens afterwards is designed specifically and personally for each victim — that’s why the GReAT team decided to call Poseidon a ‘custom-tailored malware implants boutique. That’s also the main reason why it took so long to link the pieces of puzzle together and to figure out that all the attacks that seemed to be unconnected, were actually performed by one group lurking in the shadows.

The information that Poseidon gathered was typically used to blackmail the victims in order to convince them into hiring Poseidon as a security contractor. Sometimes that didn’t stop Poseidon from continuing the attack or initiating a new one targeting the same company. The campaign is probably not state-sponsored because Poseidon only showed interest in gathering highly valuable commercial data. We believe the information was also frequently sold to other parties who showed interest and had enough money to pay for it.

All Kaspersky Lab products are familiar with all known Poseidon threats and detect them as Backdoor.Win32.Nhopro, HEUR:Backdoor.Win32.Nhopro.gen or HEUR:Hacktool.Win32.Nhopro.gen.

What makes Poseidon special, is that it’s the first player in the APT market targeting primarily Portuguese speaking companies or businesses that have joint ventures in Brazil. There are also victims in France, India, Kazakhstan, Russia, United Arab Emirates and United States of America.

By now we know at least 35 victims, including financial and government institutions, energy, telecommunication and manufacturing companies, media and PR agencies. Since it’s hard to distinguish a Poseidon group attack from some other malware injection due to their customized and stealthy approach GReAT researchers believe there are more victims, which are impossible to be identified at this time.

Kaspersky Lab is working together with known victims of active infection providing remediation assistance and intelligence reports in order to help them withstand the threat. We were able to sinkhole several Command & Control servers, but Poseidon Group has a habit of frequently changing them and thus remains active for now.

This cyber campaign is a good example of how crucial proper information security policies and security solutions are for large businesses. Stay tuned to learn more about newly discovered APTs, as at the SAS 2016 we would pay a lot of attention to this particular subject.

Tips