Mercenary Group Targets Real Estate and Architecture Firm

September 25, 2020 @ 6:00 AM
| |
2 min read

A digital espionage attack against an international architectural and video production company fit the profile of advanced persistent threat (APT) mercenary groups, Bitdefender revealed on Thursday, August 20.  

At the time of analysis, this company had offices in London, New York and Australia. Its architectural projects involved real-estate developers along with high-profile architects and interior designers.

Digital Espionage For Hire 

Researchers at the security firm found the attack fit the trend of APT mercenary groups working on behalf of private firms to spy on competitor organizations. Whoever was responsible for the cyber spying had previously acquired knowledge about the company and its IT environment. They used that knowledge to infiltrate the company’s network via a plugin specifically crafted for Autodesk 3ds Max, software used in computer graphics.

The plugin enabled a Max Script Encrypted script to run a clean-up job that secretly downloaded code from the campaign’s command-and-control (C&C) infrastructure and to establish persistence.

One response from the C&C server led Bitdefender to two .NET binaries. These files executed other maxscripts that collected information about the victim and obtained a new piece of code to be executed.

By tracing this code, the security firm ended up with a .net assembly that contained a downloader. This asset obtained other binaries, including one capable of making screenshots and collecting data from the Google Chrome web browser.

Additionally, researchers discovered a toolset consisting of HdCrawler, a binary responsible for collecting and uploading information. This toolset also contained the infostealer binary described above.

Other APT Mercenary Groups

The APT-style group-for-hire digital espionage analyzed by Bitdefender is not the first of its kind. Indeed, the security firm identified three other groups who have exhibited a similar modus operandi over the years.

In October 2016, Securelist analyzed a series of watering hole attacks staged by the StrongPity APT group against Italian and Belgian encryption users. This group attracted the attention of Alien Labs three years later when researchers came across a malware campaign in which the group deployed malicious versions of WinRAR and other software to prey upon its targets. A year later Bitdefender spotted the group using trojanized software and watering hole attacks to target entities in Turkey and Syria.

In the beginning of June 2020, The Citizen Lab published a report that revealed a for-hire group called “Dark Basin” had targeted thousands of users and hundreds of companies across six continents. Many of those targeted businesses had been American nonprofit organizations and entities advocating for net neutrality. As part of its analysis, The Citizen Lab found that the group commonly used phishing emails as a way to gain entry into its targeted organization so that it could then conduct digital espionage.

It was a month after The Citizen Lab came out with its report when SecureList revealed its discovery of “Deceptikons,” a digital espionage group offering mercenary services. In its investigation of the group, Kaspersky’s researchers found that Deceptikons was not sophisticated insofar as it had not yet exploited zero-day flaws. Even so, they concluded the group was clever in its use of spear-phishing emails and its abilities to establish persistence.

How to Defend Against a Mercenary Data Breach

The groups described above are all interested in discovering a targeted organization’s secrets and ultimately exfiltrating that information to a server under the attackers’ control. With that said, it’s important that organizations invest in their ability to monitor the network for signs of lateral movement and data exfiltration. They should also consider implementing the principle of network segmentation to help defend especially sensitive parts of their infrastructure against intrusion attempts.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more