Contopee
There are several very high-profile hacking groups around the world, which have done considerble damage globally in recent years. One of them is the North Korean APT38 (Advanced Persistent Threat). Their bread and butter are financial institutions. One of the most high-profile APT38 attacks was launched against the Bangladesh Central Bank. This campaign earned the APT38 a total of $81,000,000. The APT38 are famous for their patience and sneakiness. The APT38 takes its time when it launches a campaign and often manages almost completely to cover up all its threatening activity.
Table of Contents
Likely Working with Lazarus
Recently, it would appear that the APT38 has added a brand-new hacking tool to their arsenal – the Contopee backdoor Trojan. It is likely that the APT38 may have worked in cooperation with another North Korean hacking group called Lazarus as the Contopee Trojan is similar to tools that belong to Lazarus fairly. The Lazarus hacking group is most famous for its attack against Sony Entertainment.
Gaining Persistence and Collecting Information
Ones the Contopee Trojan infects a host it will make sure to gain persistence immediately. Next, the Contopee backdoor Trojan establishes a connection with the C&C (Command & Control) server of its operators. Once this is completed, this threat will begin collecting basic system information such as installed software, OS variant, username, configurations, etc. All the collected data will then be transferred to the C&C server of the attackers.
Capabilities
When this is done, the Contopee backdoor Trojan is able to:
- Upload files.
- Download files.
- Move files.
- Execute files.
- Manage the running processes.
- Create folders.
- Change the directory in which the Trojan’s files are stored.
It may seem that the Contopee Trojan does not have a long list of features, but it can cause great harm to the compromised host. It is likely that this Trojan is mainly used for espionage and is likely to serve as a first-stage payload, which would allow the attackers to infect the host with additional malware.
