China-linked CactusPete APT Using Upgraded Bisonal Backdoor to Target Eastern European Military

First discovered by Kaspersky earlier this year in February, the CactusPete APT is using a new malware backdoor to target victims across Eastern Europe.

Latest update

According to researchers, the CactusPete group typically targets sensitive data held by diplomatic, miilitary, and infrastructure organizations.
  • In a recent report, researchers disclosed that the group is using a new variant of the Bisonal backdoor to target financial and military sectors located in Eastern Europe.
  • They found 300+ almost identical samples, that appeared between March 2019 and April 2020, which turns out to be over 20 new samples per month.

How does the attack work?

  • The attackers mostly used spear-phishing messages with malicious attachments for malware distribution. 
  • The group has been using some recently discovered vulnerabilities (like CVE-2018-8174 affecting Windows VBScript engine) and other approaches to deliver their malicious payloads.

The APT's tactics

  • In addition to reconnaissance and gaining deeper access to a compromised network, the CactusPete group utilizes various custom Mimikatz variants along with privilege escalation malware and keyloggers for credential harvesting purposes.
  • The adversary also employs other malware such as the DoubleT backdoor, along with ShadowPad, Curious Korlia, CALMTHORNE, and DOUBLEPIPE.


Closing lines

Though it is not the most sophisticated APT group, CactusPete has still relatively seem some success in recent times. According to Kaspersky, two things behind its success are the use of complex code, such as ShadowPad, and crafting trustworthy phishing emails. Regular training and awareness about spear-phishing attacks within an organization, along with the right set of security tools and processes in place can save the day.