Bismuth APT

Bismuth APT Description

A long-running Advanced Persistent Threat (APT) group called Bismuth has been observed trying to hide its activities recently by deploying a crypto-miner payload to their targets. In the infosec landscape, crypto-mining operations are considered as non-critical issues and usually elicit a more subdued response when compared to cases of cyber-espionage or the deployment of ransomware.

Bismuth's main specialization has been the conducting of data-harvesting and espionage attack campaigns. The group has been functional since at least 2012, and during that period, their tools, techniques, and procedures have been evolving in both complexity and range steadily. The arsenal of the group consists of custom-made malware combined with open-source tools. Their victims come from a wide set of industry sectors, including international entities, companies offering financial services, government entities and agencies, as well as educational institutions. Their preferred targets, however, have enduringly been human and civil rights organizations.

Bismuth Uses Crypto-Mining as a Decoy

In their more recent campaign, the group compromised private and government targets located in France and Vietnam. The operation was attributed to Bismuth due to the deployment of a particular malware threat named KerrDown, which has been detected as part of its attacks exclusively.

To gain a foothold inside its target, Bismuth crafted highly-detailed spear-phishing emails directed at specific employees within the organizations. The hackers gathered various data about the selected individuals before launching corrupted emails. In some cases, the hackers even established communication with their victims to build trust and create a far more believable story. In the initial stages of the attack, Bismuth employed a technique known as DLL side-loading, which sees the hackers exploiting older applications and forcing them to load a corrupted DLL that is spoofing a legitimate file. Applications observed as being abused by the hackers are Microsoft Word 2007, McAffee scanner, Microsoft Defender and the Sysinternals DebugView tool.

To hide their true intentions, the Bismuth hackers executed a Monero crypto-mining payload on the compromised machines. While the miners weren't able to generate a ton of money, they served their purpose in averting attention away from the group's data-harvesting activities.

Bismuth Studies Its Targets

Once inside the selected machine, the Bismuth hackers take their time before striking. The group is reported as lurking for around a month inside the compromised network, searching and identifying the most useful computers to spread to. During this period, the threat actor collected various data, including domain and local administrator details, device information, and user privileges available on local systems.

The activity inside the compromised network moved through several stages, beginning with attempts to collect credentials from Security Account Manager (SAM) databases, as well as information about the domain group and user. After the initial data harvest, the threat actor tries to leverage Windows Management Instrumentation (WMI) to connect to additional devices. The final step of the process sees the hackers installing a CobaltStrike beacon via DLL side-loading.