A cyber espionage campaign is using new malware to infiltrate targets around the world including organisations in media, finance, construction and engineering.
Detailed by cybersecurity company Symantec, the attacks against organisations in the US, Japan, Taiwan and China are being conduced with the aim of stealing information and have been linked to an espionage group known as Palmerworm – aka BlackTech – which has a history of campaigns going back to 2013.
The addition of an US target to this campaign suggests the group is expanding campaigns to embrace a wider, more geographically diverse set of targets in their quest to steal information – although the full motivations remain unclear.
In some cases, Palmerworm maintained a presence on compromised networks for a year or more, often with the aid of ‘living-off-the-land’ tactics which take advantage legitimate software and tools so as to not raise suspicion that something might be wrong – and also thus creating less evidence which can be used to trace the origin of the attack.
Researchers haven’t been able to determine how hackers gain access to the network in this latest round of Palmerworm attacks, but previous campaigns have deployed spear-phishing emails to compromise victims.
SEE: Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you
However, it’s known that deployment of the malware uses custom loaders and network reconnaissance tools similar to previous Palmerworm campaigns, leaving researchers “reasonably confident” it’s the same group behind these attacks.
Palmerworm’s malware also uses stolen code-signing certificates in the payloads in order to make them look more legitimate and more difficult for security software to detect. This tactic is also known to have been previously deployed by the group.
The trojan malware provides attackers with a secret backdoor into the network and that access