VPNs and Clouds: New Tools in the APT Arsenal, ESET Warns

APT Activity
A malicious MSC file, from the victim’s perspective | Image: ESET

ESET’s latest APT Activity Report for April through September 2024 offers new insights into the evolving tactics, targets, and geographical reach of state-aligned Advanced Persistent Threat (APT) groups. The report documents a surge in sophisticated attacks targeting sectors from government to education, with groups increasingly leveraging VPNs, cloud services, and spearphishing techniques.

China-aligned APT groups have increased reliance on SoftEther VPN to maintain access in compromised networks, often bypassing firewall protections. “ESET researchers have observed several China-aligned APT groups relying more and more on SoftEther VPN to maintain access to their victims’ networks,” ESET notes, with groups like Flax Typhoon and GALLIUM deploying SoftEther servers and bridges across telecommunications and governmental organizations in Europe and Africa.

In a significant shift, MirrorFace, a group typically focused on Japanese entities, has expanded operations to target European diplomatic entities, using high-profile events as lures. In one campaign, MirrorFace leveraged interest in the upcoming 2025 World Expo in Osaka by sending spearphishing emails with links disguised as event-related documents. This marks “the first time we have detected MirrorFace targeting a European entity,” underscoring an expansion in China-aligned APT interests beyond Asia.

Iranian APT groups have continued their cyberespionage campaigns against neighboring countries and key sectors, such as financial services and transportation. MuddyWater, known for its hands-on attacks, has increasingly moved toward “lateral movement and performing hands-on keyboard activities,” often using network shares to stage and exfiltrate stolen credentials. ESET researchers observed MuddyWater “spending 13 hours” attempting to dump memory without success, suggesting both advanced capabilities and persistent efforts to penetrate defenses.

Iran-aligned groups are also leveraging cyber tactics to support broader geopolitical strategies. According to ESET, “Iran has made no secret of the fact that its interests in Africa and the continent’s natural resources are key components of its international policies.” MuddyWater has thus targeted financial institutions in Africa while intensifying interest in Israel’s transportation sector amid regional tensions.

North Korea-aligned APT groups, particularly Lazarus and Kimsuky, continue to exploit cloud services to conceal command-and-control communications. Kimsuky frequently uses services like Google Drive and Dropbox for both hosting and exfiltration. “This is the first time we have seen an APT group – specifically ScarCruft – abusing Zoho cloud services,” notes the report.

Lazarus’s continued “Operation DreamJob” involves sending fake job offers to lure victims, with particular focus on the defense and cryptocurrency sectors. By sending decoy job postings, often from prominent companies like Airbus or BAE Systems, Lazarus is able to infiltrate organizations under the guise of recruitment. Once the relationship is established, malicious files are deployed to steal information and conduct espionage.

Russia-aligned APT groups have maintained a focus on Ukraine, employing extensive spearphishing campaigns and exploiting vulnerabilities in webmail platforms like Zimbra and Roundcube. Sednit and GreenCube have both deployed cross-site scripting (XSS) payloads, stealing emails and credentials by exploiting “known XSS vulnerabilities” in these platforms. ESET’s report highlights GreenCube’s repeated targeting of defense and governmental organizations across Europe, underscoring the group’s focus on strategic intelligence gathering.

The ongoing Russia-Ukraine conflict has prompted sophisticated attacks by Sandworm and Gamaredon, with the latter recently deploying a new PowerShell tool named PteroGraphin. This tool allows “persistent downloader” functionality, retrieving encrypted payloads via Telegram’s publishing platform. Sandworm, meanwhile, deployed its Linux malware, LOADGRIP and BIASBOAT, to targeted Ukrainian infrastructure.

APT groups are increasingly integrating VPN solutions, cloud storage, and remote administration files like Microsoft Management Console (MSC) files in their arsenal, revealing a strategic shift toward infiltration methods that blend seamlessly with legitimate network traffic. For example, Kimsuky and other APTs have begun using MSC files to execute arbitrary commands, disguising them as harmless documents to evade detection.

A malicious MSC file, from the victim’s perspective | Image: ESET

As these tactics become more prevalent, ESET urges organizations to enhance vigilance, particularly around VPN usage and cloud integrations.

Related Posts: