Kaspersky Uncovers New APT “Mercenary” Group

Written by

Security researchers at Kaspersky have uncovered a new cyber-mercenary group that they claim has been providing hacking services for hire for almost a decade.

Dubbed “Deceptikons,” the APT group isn’t particularly sophisticated from a technical perspective and isn’t known to have deployed any zero-day threats during that time, the Russian AV vendor said in a Q2 round-up report.

“The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron,” the firm said.

Also known as Jripbot and Morpho, WildNeutron was known for targeting private companies for profit around the globe, most notably Apple, Facebook, Twitter and Microsoft in 2013. The threat actors behind the group were noted for the care they took in hiding command and control server (C&C) addresses and building-in special features to help with recovery from any C&C shutdown attempts.

Like WildNeutron, Deceptikons is unusual for APT groups in focusing on commercial and non-governmental targets.

“In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor,” explained Kaspersky.

“In all likelihood, the group’s motivations included obtaining specific financial information, details of negotiations and perhaps even evidence of the law firms’ clientele.”

Hacker-for-hire groups represent a different but no less immediate threat to organizations than state-sponsored operatives. In some cases, they do go after government as well as commercial targets.

In June, Citizen Lab uncovered a major operation against journalists, rights groups, government officials, financial institutions and others, apparently orchestrated by an Indian tech firm. The mere presence of Dark Basin, as well as Deceptikons and groups like them, indicates there is a thriving market in the outsourcing of cyber-espionage activity.

What’s hot on Infosecurity Magazine?