A joint analysis by digital security products provider Avast and internet security company ESET evaluated the samples used by an APT threat group targeting Central Asian companies and institutions. It found that the APT group allegedly spied on a telecommunications company, a gas company, and a governmental agency in Central Asia.
The analysis revealed that the group planted backdoors to gain access to corporate networks. It is suspected that the APT group was also behind the attacks in Mongolia, Russia, and Belarus. The implanted backdoors permitted threat actors to manipulate and delete files, take screenshots, alter processes, services, execute console commands, and exfiltrate data to a C&C server.
According to Avast, the group also used backdoor tools like Gh0st RAT and management instrumentation to move laterally within infiltrated networks. Gh0st RAT is a popular backdoor associated with East-Asian attackers. “It is commonly assumed that Gh0st RAT source code is widely available. Its presence is often indicated by a file named rastls.dll, using an export DLL name svchost.dll and containing a string Gh0st. A string uwqixgze} is used as a placeholder for the C&C domain,” Avast said in a report.
“Avast believes the group is from China, which has been known to be used by Chinese APT groups in the past and similarities in the code Avast analyzed and code recently analyzed in a campaign attributed to Chinese actors,” the report added.
Luigino Camastra, malware researcher at Avast, said, “The group behind the attack frequently recompiled their custom tools to avoid antivirus detection, which, in addition to the backdoors, included Mimikatz and Gh0st RAT. This has led to a large number of samples, with binaries often protected by VMProtect, making analysis more difficult. Based on what we have discovered and the fact that we were able to tie elements of these attacks back to attacks carried out on other countries, we assume this group is also targeting further countries.”
In a similar research, a threat intelligence team from Avast revealed that Adware (advertising-supported software) is responsible for 72% of all mobile malware and the remaining 28% related to banking Trojans, fake apps, lockers, and downloaders. Adware is a kind of software that hijacks mobile devices to spam the victim with unwanted ads.
Avast stated that Android adware is a rising issue with its number increased by 38% in the past year alone. Adware disguises itself in the form of gaming and entertainment apps to infect the devices when a user clicks on ads. These apps appear genuine while installing, but once opened, they start spamming the user with ads (mostly with malicious content). This happens when a user downloads apps that run stealthy activities without the user’s knowledge like downloading an encrypted .dex file in the background of a device.
