Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

APT Group Wages Cyber Espionage Campaign

Symantec: Palmerworm Targeting Victims in US, Asia
APT Group Wages Cyber Espionage Campaign

Palmerworm, an advanced persistent threat group that's been active since 2013, is waging a cyber espionage campaign targeting organizations in the U.S. and Asia, according to researchers at Symantec.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

Palmerworm hackers are using new customized malware as well as "living off the land" techniques - manipulating tools and commands already built into an operating system for malicious purposes, the researchers say.

The APT group, which is also known as BlackTech, has waged long-term espionage campaigns that target a variety of industries. In its latest campaign, which started in August 2019, the hackers have targeted news media, electronics and finance companies in Taiwan, an engineering company based in Japan and a construction company in China as well as U.S. organizations, according to the report.

"While we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group, and its likely motivation is considered to be stealing information from targeted companies," the Symantec researchers note.

Officials in Taiwan believe the hacking group has connections to China and its government, Reuters reported in August.

Palmerworm's Toolbox

Symantec is unsure of the initial entry technique employed by Palmerworm to gain access to targeted networks, but the gang has previously been observed using spear-phishing emails.

The APT group is using previously unseen malware families that Symantec labels Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit and Backdoor.Nomri. The malware, however, might be new versions of earlier malware variants used by the gang.

Palmerworm also uses a custom loader, called Trojan Horse, and a network reconnaissance tool known as Hacktool, Symantec says. And the APT group uses the dual-use tools Putty, PsExec, SNScan and WinRaR, which other hacking groups also frequently weaponize.

"These tools provide attackers with a good degree of access to victim systems without the need to create complicated custom malware that can more easily be linked back to a specific group," Symantec says.

Palmerworm also uses stolen code-signing certificates for its payloads as an obfuscation technique, according to the researchers.


The researchers say some of the malware spotted in the latest Palmerworm campaign was also used in the PLEAD campaign, which Trend Micro attributed to the group in 2017. Plus, the group appears to be using the same infrastructure in its current campaign that it used in its 2017 attacks.

"The group’s use of dual-use tools has also been seen in previous campaigns identified as being carried out by Palmerworm, while the location of its victims is also typical of the geography targeted by Palmerworm in past campaigns," according to Symantec. "The group’s use of stolen code-signing certificates has also been observed in previous Palmerworm attacks. These various factors make us reasonably confident we can attribute this activity to Palmerworm."

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.