Contents
Calypso APT
The PT Expert Security Center first took note of Calypso in March 2019 during threat hunting. Our specialists collected multiple samples of malware used by the group. They have also identified the organizations hit by the attackers, as well as the attackers' C2 servers.
Our data indicates that the group has been active since at least September 2016. The primary goal of the group is theft of confidential data. Main targets are governmental institutions in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.
Our data gives reason to believe that the APT group is of Asian origin1.
Initial infection vector
The attackers accessed the internal network of a compromised organization by using an ASPX web shell. They uploaded the web shell by exploiting a vulnerability or, alternately, guessing default credentials for remote access. We managed to obtain live traffic between the attackers and the web shell.
Figure 1. Part of the recorded traffic
The traffic indicates the attackers connected from IP address 46.166.129.241. That host contains domain tv.teldcomtv.com, the C2 server for the group's trojan. Therefore the hackers use C2 servers not only to control malware, but also to access hosts on compromised infrastructures.
The attackers used the web shell to upload utilities2 and malware,3 execute commands, and distribute malware inside the network. Examples of commands from the traffic are demonstrated in the following screenshot.
Figure 2. Commands sent to the web shell
Lateral movement
The group performed lateral movement by using the following publicly available utilities and exploits:
SysInternals
Nbtscan
Mimikatz
ZXPortMap
TCP Port Scanner
Netcat
QuarksPwDump
WmiExec
EarthWorm
OS_Check_445
DoublePulsar
EternalBlue
EternalRomance
On compromised computers, the group stored malware ..
Support the originator by clicking the read the rest link below.
