The Threat Hunter Team at Symantec, a division of Broadcom (NASDAQ: AVGO), has uncovered a new espionage campaign carried out by the Palmerworm group (aka BlackTech) involving a brand new suite of custom malware, targeting organizations in Japan, Taiwan, the U.S., and China.
The attacks occurred in 2019 and continued into 2020, targeting organizations in the media, construction, engineering, electronics, and finance sectors. We observed the group using previously unseen malware in these attacks.
Palmerworm uses a combination of custom malware, dual use tools, and living-off-the-land tactics in this campaign. Palmerworm has been active since at least 2013, with the first activity seen in this campaign in August 2019.
Tactics, Tools, and Procedures
Palmerworm was observed using both dual-use tools and custom malware in these attacks.
Among the custom malware families we saw it use were:
Backdoor.Consock
Backdoor.Waship
Backdoor.Dalwit
Backdoor.Nomri
We have not observed the group using these malware families in previous attacks – they may be newly developed tools, or the evolution of older Palmerworm tools. Malware used by Palmerworm in the past has included:
Backdoor.Kivars
Backdoor.Pled
While the custom malware used by the group in this campaign is previously undocumented, other elements of the attack bear similarities to past Palmerworm campaigns, making us reasonably confident that it is the same group carrying out this campaign.
As well as the four backdoors mentioned, we also see the group using a custom loader and a network reconnaissance tool, which Symantec detects as Trojan Horse and Hacktool. The group also used several dual-use tools, including:
Putty – can be leveraged by attackers for remote access, to exfiltrate data and send it back to attackers
PSExec – is a legitimate Microsoft tool that can be exploi ..
Support the originator by clicking the read the rest link below.
