CactusPete APT Hones Toolset, Resurfaces with New Espionage Targets


Level 73
Content Creator
Malware Hunter
Aug 17, 2014
The China-based APT known as CactusPete has returned with a new campaign aimed at military and financial targets in Eastern Europe, which is a new geography for the group’s victimology, according to researchers. The group also used a fresh variant of the Bisonal backdoor, which allows the attackers to steal information, execute code on target machines and perform lateral movement inside a network.

The activity, which Kaspersky tracked through the end of April, involved multiple sample versions of Bisonal, though these were nearly identical to each other. The samples have been compiled rapidly, with more than 20 of them per month appearing in the wild, the firm found.

“This underlines the speed of CactusPete’s development,” noted Kaspersky researcher Konstantin Zykov, in a blog post on Thursday. He added that the backdoor was likely delivered to targets via spear-phishing emails with attachments containing exploits for known vulnerabilities, according to the analysis.

On the technical side, the malware is fairly straightforward: Once the malware executes, it connects to a hard-coded command-and-control server (C2) using unmodified HTTP-based protocol.
“The request-and-response body are RC4-encrypted, and the encryption key is also hardcoded into the sample,” according to Zykov. “As the result of the RC4 encryption, it may contain binary data, [and] the malware additionally encodes it in Base64, to match the HTTP specification.”

Once attached to the C2, Bisonal harvests various machine-fingerprint information, such as hostname, IP and MAC address; Windows version; and the time set on the infected host, and sends it on. After that, it lies in wait on the target machine, occasionally pinging the C2 to see if there are any commands for it to carry out. In his analysis, Zykov foundthat Bisonal’s capabilities include executing a remote shell; silently starting a program; terminating any process; uploading, downloading or deleting files; and retrieving other data, like a list of available drives, a filelist of a specified folder or a list of processes.