September 25, 2020 By David Bisson 2 min read

A digital espionage attack against an international architectural and video production company fit the profile of advanced persistent threat (APT) mercenary groups, Bitdefender revealed on Thursday, August 20.  

At the time of analysis, this company had offices in London, New York and Australia. Its architectural projects involved real-estate developers along with high-profile architects and interior designers.

Digital Espionage For Hire 

Researchers at the security firm found the attack fit the trend of APT mercenary groups working on behalf of private firms to spy on competitor organizations. Whoever was responsible for the cyber spying had previously acquired knowledge about the company and its IT environment. They used that knowledge to infiltrate the company’s network via a plugin specifically crafted for Autodesk 3ds Max, software used in computer graphics.

The plugin enabled a Max Script Encrypted script to run a clean-up job that secretly downloaded code from the campaign’s command-and-control (C&C) infrastructure and to establish persistence.

One response from the C&C server led Bitdefender to two .NET binaries. These files executed other maxscripts that collected information about the victim and obtained a new piece of code to be executed.

By tracing this code, the security firm ended up with a .net assembly that contained a downloader. This asset obtained other binaries, including one capable of making screenshots and collecting data from the Google Chrome web browser.

Additionally, researchers discovered a toolset consisting of HdCrawler, a binary responsible for collecting and uploading information. This toolset also contained the infostealer binary described above.

Other APT Mercenary Groups

The APT-style group-for-hire digital espionage analyzed by Bitdefender is not the first of its kind. Indeed, the security firm identified three other groups who have exhibited a similar modus operandi over the years.

In October 2016, Securelist analyzed a series of watering hole attacks staged by the StrongPity APT group against Italian and Belgian encryption users. This group attracted the attention of Alien Labs three years later when researchers came across a malware campaign in which the group deployed malicious versions of WinRAR and other software to prey upon its targets. A year later Bitdefender spotted the group using trojanized software and watering hole attacks to target entities in Turkey and Syria.

In the beginning of June 2020, The Citizen Lab published a report that revealed a for-hire group called “Dark Basin” had targeted thousands of users and hundreds of companies across six continents. Many of those targeted businesses had been American nonprofit organizations and entities advocating for net neutrality. As part of its analysis, The Citizen Lab found that the group commonly used phishing emails as a way to gain entry into its targeted organization so that it could then conduct digital espionage.

It was a month after The Citizen Lab came out with its report when SecureList revealed its discovery of “Deceptikons,” a digital espionage group offering mercenary services. In its investigation of the group, Kaspersky’s researchers found that Deceptikons was not sophisticated insofar as it had not yet exploited zero-day flaws. Even so, they concluded the group was clever in its use of spear-phishing emails and its abilities to establish persistence.

How to Defend Against a Mercenary Data Breach

The groups described above are all interested in discovering a targeted organization’s secrets and ultimately exfiltrating that information to a server under the attackers’ control. With that said, it’s important that organizations invest in their ability to monitor the network for signs of lateral movement and data exfiltration. They should also consider implementing the principle of network segmentation to help defend especially sensitive parts of their infrastructure against intrusion attempts.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today