Hacking Group Targets European Banks, MilitaryKaspersky: 'CactusPete' Using Revamped Back Door
A hacking group dubbed "CatusPete" is using a revamped backdoor called Bisonal to target banks and military organizations in Eastern Europe, the security firm Kaspersky reports. Security analysts have previously tied the group to China.
This advanced persistent threat group, which is also known as Karma Panda and Tonto Team and has been around since 2013, has previously focused on targets in the U.S., South Korea, Japan and Taiwan. Over the last year, the group has begun showing interest in other parts of Asia and now Eastern Europe as its capabilities have expanded, according to the new Kaspersky report.
These expanded capabilities include the use of the Bisonal backdoor, which is designed to help steal data, execute code on targeted devices and allow the attackers to move laterally throughout a targeted network, according to the report.
And while this latest campaign targeting Eastern Europe appears to have run from February to April, the Kaspersky team has uncovered 300 variations of the Bisonal backdoor used by CactusPete dating to March 2019. This points to the group accelerating the development of its malicious tools and deploying some 20 separate versions a month, Konstantin Zykov, a Kaspersky researcher, noted in the report.
The CactusPete group has previously targeted military and diplomatic organizations and has attempted to steal "sensitive data," according to the report.
Kaspersky says it's not clear how the Bisonal backdoor is installed on targeted devices, but the APT group is known to use spear-phishing techniques to target certain individuals.
Once installed, the backdoor connected to a command-and-control server through an unmodified HTTP-based protocol, according to Kaspersky. The malware then began to collect information about the compromised device. This includes the hostname, IP and MAC address, what version of Windows the device is running and the time zone where the device is located.
The backdoor then waited for additional commands and had the ability to start a program, terminate any process on the device, upload or download files, retrieve data and run remote shell code within the infected device, according to Kaspersky.
In addition, the CactusPete group used other malware such as the Mimikatz password stealer and various keyloggers, to harvest credentials and escalate privileges within an infected network, Zykov notes.
The Kaspersky report notes that CactusPete has also recently gained access to other malware and malicious tools. Earlier this year, researchers found the group was using ShadowPad, malware designed to target weaknesses in the global supply chain (see: 'Operation ShadowHammer' Shows Weakness of Supply Chains).
Ties to China
Researchers at Cisco Talos published their own report on CactusPete, which they call Tonto Team, in June.
That report gave additional details about the Bisonal backdoor and the hacking group's apparent ties to China's government.