The Curious Case of Tool Diversification by APT Groups

In the third quarter of 2020, APT groups have been witnessed diversifying their tools for better results. 

The scoop

Threat actors usually stick to their old, proven tactics, techniques, and procedures (TTPs); however, with time, some resourceful groups do come up with dangerous innovations.
  • Recently, an unknown threat actor conducted a campaign with the novel tactic of a custom bootkit for UEFI which was dubbed as MosaicRegressor.
  • The MuddyWater APT actor has been updating multi-stage frameworks to evade detection.  
  • The Dtrack RAT was updated with a new feature that allows the operator to implement different types of payloads.

Other trends observed in Q3

Most APT campaigns are still driven by geopolitical events.
  • The financial sector is still being targeted most frequently among all critical sectors.
  • Transparent Tribe and Origami Elephant have been using mobile implants in their attacks.
  • Recent hotspots for APT activity include Southeast Asia and the Middle East. 

The bottom line

While many threat actors have been consistent with their techniques and tactics and using topical lures such as those related to COVID-19, some have gone above and beyond and reinvented themselves. New toolsets have been developed to increase the attack surface and include new platforms.