September 25, 2020 By David Bisson 2 min read

A digital espionage attack against an international architectural and video production company fit the profile of advanced persistent threat (APT) mercenary groups, Bitdefender revealed on Thursday, August 20.  

At the time of analysis, this company had offices in London, New York and Australia. Its architectural projects involved real-estate developers along with high-profile architects and interior designers.

Digital Espionage For Hire 

Researchers at the security firm found the attack fit the trend of APT mercenary groups working on behalf of private firms to spy on competitor organizations. Whoever was responsible for the cyber spying had previously acquired knowledge about the company and its IT environment. They used that knowledge to infiltrate the company’s network via a plugin specifically crafted for Autodesk 3ds Max, software used in computer graphics.

The plugin enabled a Max Script Encrypted script to run a clean-up job that secretly downloaded code from the campaign’s command-and-control (C&C) infrastructure and to establish persistence.

One response from the C&C server led Bitdefender to two .NET binaries. These files executed other maxscripts that collected information about the victim and obtained a new piece of code to be executed.

By tracing this code, the security firm ended up with a .net assembly that contained a downloader. This asset obtained other binaries, including one capable of making screenshots and collecting data from the Google Chrome web browser.

Additionally, researchers discovered a toolset consisting of HdCrawler, a binary responsible for collecting and uploading information. This toolset also contained the infostealer binary described above.

Other APT Mercenary Groups

The APT-style group-for-hire digital espionage analyzed by Bitdefender is not the first of its kind. Indeed, the security firm identified three other groups who have exhibited a similar modus operandi over the years.

In October 2016, Securelist analyzed a series of watering hole attacks staged by the StrongPity APT group against Italian and Belgian encryption users. This group attracted the attention of Alien Labs three years later when researchers came across a malware campaign in which the group deployed malicious versions of WinRAR and other software to prey upon its targets. A year later Bitdefender spotted the group using trojanized software and watering hole attacks to target entities in Turkey and Syria.

In the beginning of June 2020, The Citizen Lab published a report that revealed a for-hire group called “Dark Basin” had targeted thousands of users and hundreds of companies across six continents. Many of those targeted businesses had been American nonprofit organizations and entities advocating for net neutrality. As part of its analysis, The Citizen Lab found that the group commonly used phishing emails as a way to gain entry into its targeted organization so that it could then conduct digital espionage.

It was a month after The Citizen Lab came out with its report when SecureList revealed its discovery of “Deceptikons,” a digital espionage group offering mercenary services. In its investigation of the group, Kaspersky’s researchers found that Deceptikons was not sophisticated insofar as it had not yet exploited zero-day flaws. Even so, they concluded the group was clever in its use of spear-phishing emails and its abilities to establish persistence.

How to Defend Against a Mercenary Data Breach

The groups described above are all interested in discovering a targeted organization’s secrets and ultimately exfiltrating that information to a server under the attackers’ control. With that said, it’s important that organizations invest in their ability to monitor the network for signs of lateral movement and data exfiltration. They should also consider implementing the principle of network segmentation to help defend especially sensitive parts of their infrastructure against intrusion attempts.

More from

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today