September 25, 2020 By David Bisson 2 min read

A digital espionage attack against an international architectural and video production company fit the profile of advanced persistent threat (APT) mercenary groups, Bitdefender revealed on Thursday, August 20.  

At the time of analysis, this company had offices in London, New York and Australia. Its architectural projects involved real-estate developers along with high-profile architects and interior designers.

Digital Espionage For Hire 

Researchers at the security firm found the attack fit the trend of APT mercenary groups working on behalf of private firms to spy on competitor organizations. Whoever was responsible for the cyber spying had previously acquired knowledge about the company and its IT environment. They used that knowledge to infiltrate the company’s network via a plugin specifically crafted for Autodesk 3ds Max, software used in computer graphics.

The plugin enabled a Max Script Encrypted script to run a clean-up job that secretly downloaded code from the campaign’s command-and-control (C&C) infrastructure and to establish persistence.

One response from the C&C server led Bitdefender to two .NET binaries. These files executed other maxscripts that collected information about the victim and obtained a new piece of code to be executed.

By tracing this code, the security firm ended up with a .net assembly that contained a downloader. This asset obtained other binaries, including one capable of making screenshots and collecting data from the Google Chrome web browser.

Additionally, researchers discovered a toolset consisting of HdCrawler, a binary responsible for collecting and uploading information. This toolset also contained the infostealer binary described above.

Other APT Mercenary Groups

The APT-style group-for-hire digital espionage analyzed by Bitdefender is not the first of its kind. Indeed, the security firm identified three other groups who have exhibited a similar modus operandi over the years.

In October 2016, Securelist analyzed a series of watering hole attacks staged by the StrongPity APT group against Italian and Belgian encryption users. This group attracted the attention of Alien Labs three years later when researchers came across a malware campaign in which the group deployed malicious versions of WinRAR and other software to prey upon its targets. A year later Bitdefender spotted the group using trojanized software and watering hole attacks to target entities in Turkey and Syria.

In the beginning of June 2020, The Citizen Lab published a report that revealed a for-hire group called “Dark Basin” had targeted thousands of users and hundreds of companies across six continents. Many of those targeted businesses had been American nonprofit organizations and entities advocating for net neutrality. As part of its analysis, The Citizen Lab found that the group commonly used phishing emails as a way to gain entry into its targeted organization so that it could then conduct digital espionage.

It was a month after The Citizen Lab came out with its report when SecureList revealed its discovery of “Deceptikons,” a digital espionage group offering mercenary services. In its investigation of the group, Kaspersky’s researchers found that Deceptikons was not sophisticated insofar as it had not yet exploited zero-day flaws. Even so, they concluded the group was clever in its use of spear-phishing emails and its abilities to establish persistence.

How to Defend Against a Mercenary Data Breach

The groups described above are all interested in discovering a targeted organization’s secrets and ultimately exfiltrating that information to a server under the attackers’ control. With that said, it’s important that organizations invest in their ability to monitor the network for signs of lateral movement and data exfiltration. They should also consider implementing the principle of network segmentation to help defend especially sensitive parts of their infrastructure against intrusion attempts.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today