Positive Technologies experts discovered the hacker group Calypso, which has been operating since 2016 and the main target of its attacks are government agencies.
The group is currently active in six countries: according to experts, organizations from India (34% of the victims), Brazil, Kazakhstan (18% each), Russia, Thailand (12% each) and Turkey (6%) have already suffered from the group’s actions).“The PT Expert Security Center first took note of Calypso in March 2019 during threat hunting. Our specialists collected multiple samples of malware used by the group. They have also identified the organizations hit by the attackers, as well as the attackers’ C2 servers”, — write Positive Technologies specialists.
According to the data obtained, the identified APT group presumably has Asian roots and is among the Chinese speakers. In one of the attacks, the group used the PlugX malware, which is traditionally used by many APT groups of Chinese origin, as well as the Byeby Trojan, which was used in the SongXY malware campaign in 2017.
Read also: Steam users expect a wave of phishing attacks
In one of the attacks, the group used Calypso RAT, PlugX and the Byeby Trojan. Calypso RAT is a malware that is unique to the group and will be analyzed in detail in the following text.
Many APT groups of Asian descent have traditionally used PlugX. Using PlugX does not in itself indicate a specific group, but is generally of Asian origin.
In addition, during individual attacks, attackers mistakenly revealed their real IP addresses belonging to Chinese providers.
Attackers broke into the network perimeter and placed on it a special program through which they gained access to the internal networks of compromised organizations.
As the investigation showed, attackers are moving inside the network either by exploiting the remote code execution vulnerability MS17-010 (the well-known exploit EternalBlue is designed specifically for this bug, which also has the identifier CVE-2017-0144), or by using stolen credentials.
“The success of the attacks of this group is greatly facilitated by the fact that most of the utilities used by it to advance within the network are widely used by specialists around the world for network administration. The grouping used public utilities and exploits, for example SysInternals, Mimikatz; EternalBlue, EternalRomance. With the help of common exploits, criminals infect computers on the organization’s local network and steal confidential data”, – Denis Kuvshinov, a leading specialist of the cyber threat research group, said.
