Palmerworm APT Group Targeting Victims in US and Asia

8031757487?profile=RESIZE_400xPalmerworm, an advanced persistent threat (APT) group, has been active since 2013 and is engage in cyber espionage campaigns that target organizations in the US, East Asia, particularly Taiwan, and occasionally Japan and Hong Kong.  Palmerworm hackers are using new customized malware as well as ‘living off the land’ techniques manipulating tools and commands already built into an operating system for malicious purposes.

This APT group, also known as BlackTech, has conducted long-term espionage campaigns that target a variety of industries.  In its latest campaign, which started in August 2019, Palmerworm has directed attacks against news media outlets, electronics and finance companies in Taiwan, an engineering company based in Japan and a construction company in China as well as various US organizations.[1] 

While cyber investigators do not see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group with likely motives to steal valuable information from targeted companies.  Authorities in Taiwan believe Palmerworm/BlackTech has connections to China and its government, as previously reported last August in trusted media sources.

Cyber research is unsure of the initial entry technique employed by Palmerworm to gain access to targeted networks.  The new custom malware toolset alone would have made the attribution difficult if it were not for the use of dual-use tools (such as Putty, PSExec, SNScan, and WinRAR) and stolen code-signing certificates to digitally sign its malicious payloads and thwart detection; a tactic seen in the past.  These tools provide attackers with a high degree of access to victim systems without the need to create complicated custom malware that can more easily be linked back to bad actors.

Another unclear tactic is the infection vector itself, which is the method Palmerworm has used to gain initial access into the victim networks.  This APT group, however, has leveraged spear-phishing emails in the past to deliver and install their backdoor, either in the form of an attachment or through links to cloud storage services.  Palmerworm uses previously unseen malware families that Symantec analysts label as, Backdoor.Consock; Backdoor.Waship; Backdoor.Dalwit and Backdoor.Nomri.  The malware may be new versions of earlier malware variants used by this APT gang.

Palmerworm also uses stolen code-signing certificates for its payloads as an obfuscation technique.  Researchers say some of the malware spotted in the latest Palmerworm campaign was also used in the PLEAD campaign, which Trend Micro attributed to the same group in 2017.  Additionally, the group appears to be using the same infrastructure in its current campaign that it used in its 2017 attacks.[2]

As to how the group gained access to targeted organizations, investigators explain that they did not see what infection vector Palmerworm used to gain initial access to victim networks in this campaign.  Unfortunately, the nature of advanced hacking campaigns means they are often difficult to detect and defend against.  Business organizations and individuals can take proactive steps to protect themselves against phishing scams as were probably used in Palmerworm’s campaign.  In addition to using good antivirus software to block suspicious activity, cyber threat investigators recommend using VPNs and 2 party authentication for additional cyber protection.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks such as ransomware.  Red Sky Alliance offers tools and services to help stop these types of cyber-attacks.   Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company wide.
  • Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. 
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

Articles about the cyber threat groups mentioned in this report can be found at https://redskyalliance.org    There is no charge for access to these reports.

Our services can help protect with attacks such as these.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com    

TR-20-281-001_Palmeerworm.pdf 

 

[1] https://www.bankinfosecurity.com/apt-group-wages-cyber-espionage-campaign-a-15094

[2] https://www.bleepingcomputer.com/news/security/blacktech-apt-steals-d-link-cert-for-cyber-espionage-campaign/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!