A cyber espionage group tracked to China has been leveraging legitimate network administration and open source tools to target organisations in the satellite, telecoms and defence sectors.
That's the warning of security specialists at Symantec, who describe such techniques as ‘living off the land'.
"The purpose of living off the land is twofold. By using such features and tools, attackers are hoping to blend in on the victim's network and hide their activity in a sea of legitimate processes," explained Symantec in a threat intelligence warning.
It continued: "Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks. If everyone is using similar tools, it's more difficult to distinguish one group from another. Most attack groups do still create and leverage custom malware, but it tends to be employed sparingly, reducing the risk of discovery."
The work of the group was first triggered in January 2018 on the network of a telecoms operator in Southeast Asia. "An attacker was using PsExec to move laterally between computers on the company's network. PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land.
"However, it's also widely used for legitimate purposes, meaning malicious use of PsExec can [therefore] be difficult to spot."
The attackers were attempting to remotely install a previously unknown piece of malware on computers within the victim's network, according to Symantec.
"When we analysed the malware, we discovered that it was an updated version of Trojan.Rikamanu, malware associated with Thrip, a group we've been monitoring since 2013. After further investigation, we discovered that Thrip also used a completely new piece of malware in this attack.
This new malware is now called Infostealer.Catchamas, which Symantec wrote up on 14 March. This Trojan steals keystrokes, clipboard data, screenshots based on specific keywords in the window title, and network adapter information, including Mac address, IP address and adapter name.
But it was the target that intrigued Symantec researchers the most: a satellite operator, but the attackers were most interested in the operational side of the company, looking for and infecting the computers that monitor and control satellites.
Another target specialised in geospatial imaging and mapping, with Thrip targeting the operational side of the company running MapXtreme GIS software. "It also targeted machines running Google Earth Server and Garmin imaging software," notes Symantec, in addition to three other telecoms operators in Southeast Asia, as well as a defence contractor.
The group involved in these attacks was linked with Thrip, a hacking outfit Symantec has tracked since 2013. Initially, this group used its own custom malware for its attacks, but in attacks starting in 2017 it changed tack, switching to a combination of custom malware and legitimate tools.
These tools include Microsoft's PsExec and PowerShell, the free tool Mimikatz, the open-source WinSCP FTP client, used for data exfiltration, and LogMeIn cloud-based remote-access software.
Symantec claims that it was able to identify the latest round of Thrip cyber espionage using its Targeted Attack Analytics tool, which applies machine learning to telemetry data to identify malicious activity.
"From the initial alert triggered by TAA, we were able to follow a trail that eventually enabled us to see the bigger picture of a cyber espionage campaign originating from computers within China and targeting multiple organizations in the US and Southeast Asia.
"Espionage is the group's likely motive but given its interest in compromising operational systems, it could also adopt a more aggressive, disruptive stance should it choose to do so," the Symantec report concluded.
New light-guiding nanoscale device can control and monitor a nanoparticle trapped in a laser beam with high sensitivity
Optical traps are scientific instruments in which a focused laser beam is used to exert an attractive or repulsive force on a microscopic object to hold it in place
Scientists estimate that the exoplanet has already lost up to 35 per cent of its mass over its lifetime
The observations were made using the Atacama Array in the Chilean desert
J1043+2408 was observed for more than 10 years, and its radio light curve exhibited a periodic signal repeating in about 563 days