APT Group Wages Cyber Espionage CampaignSymantec: Palmerworm Targeting Victims in US, Asia
Palmerworm, an advanced persistent threat group that's been active since 2013, is waging a cyber espionage campaign targeting organizations in the U.S. and Asia, according to researchers at Symantec.
Palmerworm hackers are using new customized malware as well as "living off the land" techniques - manipulating tools and commands already built into an operating system for malicious purposes, the researchers say.
The APT group, which is also known as BlackTech, has waged long-term espionage campaigns that target a variety of industries. In its latest campaign, which started in August 2019, the hackers have targeted news media, electronics and finance companies in Taiwan, an engineering company based in Japan and a construction company in China as well as U.S. organizations, according to the report.
"While we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group, and its likely motivation is considered to be stealing information from targeted companies," the Symantec researchers note.
Officials in Taiwan believe the hacking group has connections to China and its government, Reuters reported in August.
Symantec is unsure of the initial entry technique employed by Palmerworm to gain access to targeted networks, but the gang has previously been observed using spear-phishing emails.
The APT group is using previously unseen malware families that Symantec labels Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit and Backdoor.Nomri. The malware, however, might be new versions of earlier malware variants used by the gang.
Palmerworm also uses a custom loader, called Trojan Horse, and a network reconnaissance tool known as Hacktool, Symantec says. And the APT group uses the dual-use tools Putty, PsExec, SNScan and WinRaR, which other hacking groups also frequently weaponize.
"These tools provide attackers with a good degree of access to victim systems without the need to create complicated custom malware that can more easily be linked back to a specific group," Symantec says.
Palmerworm also uses stolen code-signing certificates for its payloads as an obfuscation technique, according to the researchers.
The researchers say some of the malware spotted in the latest Palmerworm campaign was also used in the PLEAD campaign, which Trend Micro attributed to the group in 2017. Plus, the group appears to be using the same infrastructure in its current campaign that it used in its 2017 attacks.
"The group’s use of dual-use tools has also been seen in previous campaigns identified as being carried out by Palmerworm, while the location of its victims is also typical of the geography targeted by Palmerworm in past campaigns," according to Symantec. "The group’s use of stolen code-signing certificates has also been observed in previous Palmerworm attacks. These various factors make us reasonably confident we can attribute this activity to Palmerworm."