Cybersecurity researchers have uncovered crucial insights into the tactics, techniques and procedures (TTPs) employed by the threat actor APT31 (also known as Judgment Panda and Zirconium).
The research, conducted by Kaspersky’s Threat Intelligence team, sheds light on the threat actor’s dedicated implants for data gathering and exfiltration from targeted networks, particularly those of industrial organizations.
The attackers aimed to establish a permanent channel for data exfiltration, including sensitive information stored on air-gapped systems.
“The threat actor’s deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking might seem to underscore the sophistication of their tactics,” commented Kirill Kruglov, a senior security researcher at Kaspersky ICS CERT.
The researchers identified over 15 distinct implants and their variants, divided into three categories based on their roles.
First-stage implants were designed to collect and archive data on the local machine. It operated by gathering information from the infected system and storing it locally for later exfiltration.
Second-stage implants focused on collecting information about removable drives. By targeting these drives, the attackers gained a means to infiltrate air-gapped networks. This technique allowed the malware to spread to isolated systems by infecting removable media.
“Although exfiltrating data from air-gapped networks is a recurrent strategy adopted by many APTs and targeted cyber-espionage campaigns, this time it has been designed and implemented uniquely by the actor,” explained Kruglov.
Read more on similar attacks: Black Basta Deploys PlugX Malware in USB Devices With New Technique
Finally, third-stage implants were responsible for uploading the exfiltrated data to a command-and-control (C2) server. This final step enabled the threat actor to access and utilize the stolen information.
In a report published today, Kaspersky explained that the implants’ operation was meticulously planned, involving multiple steps and techniques to remain undetected. For example, the dedicated implant for gathering local files used a DLL hijacking technique to ensure persistence, injecting payloads into legitimate processes.
Kaspersky’s researchers emphasized the importance of remaining vigilant against such threats and offered recommendations to enhance cybersecurity defenses in industrial organizations.
“As the investigation continues, [we] remain resolute in its dedication to safeguarding against targeted cyber-attacks and collaborating with the cybersecurity community to disseminate actionable intelligence,” Kruglov concluded.
Recommendations include installing up-to-date security solutions, restricting the use of privileged accounts and employing managed detection and response services for swift threat mitigation.