A new APT threat group, dubbed ChamelGang, has been discovered targeting fuel, energy, and aviation industries in Russia. Active since March, the APT group was found exploiting known ProxyShell vulnerabilities in Microsoft Exchange Server.
Positive Technologies discovered that the ChamelGang APT group had already targeted ten countries by using ProxyShell and multiple malware.
To stay under the radar, the group hides its malicious infrastructure by using legitimate services by established firms such as Microsoft, TrendMicro, McAfee, IBM, and Google by using various methods.
One such method is to obtain domains that resemble legitimate counterparts such as newtrendmicro[.]com, mcafee-upgrade[.]com, microsoft-support[.]net, centralgoogle[.]com, and cdn-chrome[.]com.
Additionally, it uses fake SSL certificates for github[.]com, ibm[.]com, jquery[.]com, and update[.]microsoft-support[.]net.
The group had also used new malware such as ProxyT, BeaconLoader, and DoorMe, and some known variants including FRP, Cobalt Strike Beacon, and Tiny Shell.
Cybercriminals behind ChamelGang have used a variety of malware to exploit known bugs in targeted systems, many of which could have been prevented. Updating systems frequently and applying security patches as soon they are released is necessary for organizations, and they must not skip or delay it.