Cyber espionage group called Chafer APT, APT39, or Remix Kitten have been targeting Saudi Arabia, Kuwait and other countries in the Middle East. It boils down to the same group who distributed data stealer malware since 2014. The cybercrime groups are focused on surveillance and individual tracking operations. From the perspective of APT39 and their collaborators, the most productive targets are telecommunications, technological industry, media, transportation, services, and government institutions. These sectors hold much information on their current and prospective customers. Also, being a state-actor, APT39 group is interested in spying on governments of other nations.
The primary tool for an attack on the reconnaissance stage is social engineering attacks that enable them to do remote administration. Afterward, sending payloads to infect victims, often using a spearphishing email—creating a back door using a created user account on the victim’s machine. What sets APT39 apart from all other nation-stage hacking groups is its more personal touch of getting information from individuals. They also employ relatively stable operational security to avoid detection. However, analysts noticed that they are running an altered version of Mimikatz that bypasses anti-malware tools, as well as credential harvesting outside the victim’s perimeter network.
Known Techniques used:
- Connection proxy – Custom tools to create SOCK5 between infected hosts.
- Credential Dumping – Used Mimikatz, Ncrack, Windows credential editor, and ProcDump to dump credentials.
- Web Shell – has installed ANTAK and ASPXSPY web shells.
- Spearphishing Link – leveraged spearphishing emails with malicious links to initially compromise victims.
- Scripting – Custom script to perform internal reconnaissance.
- Remote Service – Secure Shell to move laterally among their targets.
- PSExec- Service Execution, Windows Admin Shares
- Windows Credential Editor – Credential Dumping
Suggested Mitigations:
- Proactively detect and log malicious server configurations in the Command and Control (CnC) feed.
- Monitor for subsequent login attempts from the same IP against different accounts.
- Highly effective action is to introduce multi-factor authentication.
- Hired analysts must monitor criminal dark web communities for the availability of new targeted organizations.
- Set a unique, unpredictable password for each online account vulnerable to password spraying techniques.
- Conduct Social Engineering training for company employees as this can mitigate the threat posed to the organization.
- Use IDS as this aids in identifying unsuccessful login attempts across multiple user accounts.
- Use an efficient anti-malware solution that can detect and block a program from being installed and executive with the network. As always layered security approach is recommended to protect against all types of attacks.