A digital espionage attack against an international architectural and video production company fit the profile of advanced persistent threat (APT) mercenary groups, Bitdefender revealed on Thursday, August 20.  

At the time of analysis, this company had offices in London, New York and Australia. Its architectural projects involved real-estate developers along with high-profile architects and interior designers.

Digital Espionage For Hire 

Researchers at the security firm found the attack fit the trend of APT mercenary groups working on behalf of private firms to spy on competitor organizations. Whoever was responsible for the cyber spying had previously acquired knowledge about the company and its IT environment. They used that knowledge to infiltrate the company’s network via a plugin specifically crafted for Autodesk 3ds Max, software used in computer graphics.

The plugin enabled a Max Script Encrypted script to run a clean-up job that secretly downloaded code from the campaign’s command-and-control (C&C) infrastructure and to establish persistence.

One response from the C&C server led Bitdefender to two .NET binaries. These files executed other maxscripts that collected information about the victim and obtained a new piece of code to be executed.

By tracing this code, the security firm ended up with a .net assembly that contained a downloader. This asset obtained other binaries, including one capable of making screenshots and collecting data from the Google Chrome web browser.

Additionally, researchers discovered a toolset consisting of HdCrawler, a binary responsible for collecting and uploading information. This toolset also contained the infostealer binary described above.

Other APT Mercenary Groups

The APT-style group-for-hire digital espionage analyzed by Bitdefender is not the first of its kind. Indeed, the security firm identified three other groups who have exhibited a similar modus operandi over the years.

In October 2016, Securelist analyzed a series of watering hole attacks staged by the StrongPity APT group against Italian and Belgian encryption users. This group attracted the attention of Alien Labs three years later when researchers came across a malware campaign in which the group deployed malicious versions of WinRAR and other software to prey upon its targets. A year later Bitdefender spotted the group using trojanized software and watering hole attacks to target entities in Turkey and Syria.

In the beginning of June 2020, The Citizen Lab published a report that revealed a for-hire group called “Dark Basin” had targeted thousands of users and hundreds of companies across six continents. Many of those targeted businesses had been American nonprofit organizations and entities advocating for net neutrality. As part of its analysis, The Citizen Lab found that the group commonly used phishing emails as a way to gain entry into its targeted organization so that it could then conduct digital espionage.

It was a month after The Citizen Lab came out with its report when SecureList revealed its discovery of “Deceptikons,” a digital espionage group offering mercenary services. In its investigation of the group, Kaspersky’s researchers found that Deceptikons was not sophisticated insofar as it had not yet exploited zero-day flaws. Even so, they concluded the group was clever in its use of spear-phishing emails and its abilities to establish persistence.

How to Defend Against a Mercenary Data Breach

The groups described above are all interested in discovering a targeted organization’s secrets and ultimately exfiltrating that information to a server under the attackers’ control. With that said, it’s important that organizations invest in their ability to monitor the network for signs of lateral movement and data exfiltration. They should also consider implementing the principle of network segmentation to help defend especially sensitive parts of their infrastructure against intrusion attempts.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…