Based on information provided by researchers, the threat group is thought to have been active since at least 2009 and is well-known for carrying out spear-phishing and watering hole attacks against China and Pakistan. Subsequently, it was discovered earlier in February that the threat actor had used romance-themed lures to trick victims in Pakistan and India into falling for a remote access trojan called VajraSpy, which would compromise their Android smartphones.

The most recent attack chain that has been observed begins with a Windows shortcut (LNK) file that is intended to download a fake PDF document from a remote domain that pretends to be the UNFCCC-backed Adaptation Fund. Meanwhile, Brute Ratel C4 and PGoShell which have been retrieved from a separate domain are being used covertly. The Go programming language was used to create PGoShell, which has a wide range of features like screen capture, remote shell access, and the ability to download and run payloads.

The development occurred months after attacks using previously unreported malware such as WalkerShell, DemoTrySpy, and NixBackdoor to harvest data and run shellcode were linked to APT-K-47, another threat actor with tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter. The use of the open-source Nimbo-C2 command-and-control framework, which offers a variety of remote control features, makes the attacks noteworthy as well.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Code Execution

Indicators of Compromise

Domain Name

• cartmizer.info
• longwang.b-cdn.net

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their Android devices and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Test tools are used to detect any vulnerabilities in the deployed codes.