Bismuth APT Using Old, Legitimate Apps for DLL Side-Loading in Cryptomining Campaign

Staying under the radar is one of the topmost priority of cybercriminals to establish persistence in a compromised system. Lately, a nation-state actor Bismuth has been observed taking advantage of coin miners that generate low-priority alerts to hide its nefarious espionage activities.

Bismuth’s cryptojacking decoy

Microsoft has detected the deployment of coin miners such as Monero in Bismuth’s recent campaigns, used to monetize compromised networks at large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations. 
  • According to Microsoft, these attacks had occurred in July and August to target private and government organizations in France and Vietnam.
  • Bismuth was found using spear-phishing emails, social engineering, specific Gmail accounts, and DLL side-loading to launch cyberespionage attacks.
  • On the targeted system, the actor planted older versions of several applications, such as Microsoft Defender, that were still vulnerable to DLL side-loading.

The attack technique

Before sending the spear-phishing emails, hackers would closely study each target and then created fake Gmail accounts specifically for each target.
  • Upon successful infiltration to the target system, the hackers planted outdated versions of several legit applications such as Microsoft Word 2007, Microsoft Defender, the Sysinternals DebugView tool, and McAfee on-demand scanner, and then performed DLL sideloading attacks.
  • During this period, the group had used a custom malware named KerrDown that impersonated a DLL from Microsoft Word 2007 and executed in the context of the application.
  • Attackers often spent about a month in the targeted networks, moved laterally to servers, and then collected details about the local administrators and domains. They also pulled out device information and checked for user privileges on local machines.

Cryptojacking attempts lately

It has become a developing trend to use crypto-mining malware together with other malware combinations for carrying out multiple attacks together. 
  • In November, the Chinese-linked Muhstik botnet was seen targeting cloud infrastructure and IoT devices such as routers, to mine cryptocurrency using open source tools like XMRig and cgminer.
  • In October-end, KashmirBlack botnet was infecting websites and then using their servers for cryptocurrency mining in two series of attacks.

Summing up

The Bismuth group has been using the cover of low-priority threats allowing it to run its operation without revealing their identity. Therefore, experts recommend that organizations should not take low-priority threats like cryptomining lightly. All security shields must be held tightly, especially during and after any cyber threat has been identified.