Advanced Persistent Threat (APT) hacking groups continue to plague the WEB as usual. To stay relevant, however, the actors in charge are mingling old-school infection formulas with technical innovations, riding on popular topics and themes to enhance their social engineering approaches. Over the last few months, DeathStalker and MosaicRepressor appear to have upped their game using tools from the opposite ends of the spectrum. While the former has largely stuck to their guns, the latter has attempted to break the mould and take malware infections to the next level.
If It Ain’t Broke, Don’t Fix It
It has been close to two years since the DeathStalker APT gang put a dent in the web safety of organizations in the financial and judicial systems by deploying phishing schemes to harvest sensitive data. Although DeathStalker continues to utilize the same old phishing scams when approaching potential victims, the group has seemingly adopted some changes along the way. Rather than using dead drop resolvers and other code-sharing outlets to engage in espionage, DeathStalker’s actors now redirect the malware at play straight to a dedicated C&C server. What is more, they seem to have intensified their phishing attacks to maximize their prospects of a successful attack, too. Novel PowerShell implants embedded in email attachments appear to have entered the equation, as well.
MosaicRegressor, on the other hand, features more sophisticated malware distribution tools. That APT exploits EUFI vulnerabilities to plant the seeds of an infection at a firmware level. Thus, the malware dropped via MosaicRegressor is practically impossible to defeat unless you replace the entire compromised UEFI firmware on your PC. Since UEFI loads prior to the OS, so does the malware, the implication being that it will still be there even after you uninstall your OS or get a brand-new hard drive unit altogether. So far, the main targets of the UEFI-tailored APT are both government and non-government organizations occupying the Southwest Asian region and having ties to North Korea in one way or another.