Modern cyber-crime rings are becoming increasingly attracted to the use of legitimate components to achieve their goals. Execution of malicious components via DLL hijacking and persisting on affected systems by abusing legitimate scheduled tasks and services are just a few examples of their agility and focus.
State-affiliated actors such as the notorious APT29 group have successfully used this approach in the past by switching a binary responsible for updating Adobe Reader with a malicious component to abuse the corresponding scheduled task used for running the binary, and ultimately, to achieve persistence. Another strategy that aims to make the attackers keep a low profile is the use of locations that are less likely to be suspected to accommodate malware, and which are more likely to be excepted from security solution scrutiny.
We identified these behaviors in a recent incident investigated by Bitdefender researchers, where a presumably custom malware tracked by Bitdefender as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.
Our investigation revealed that the operation started at least since early 2022. During this time, the attackers attempted to load their tools through multiple means, the Logutil being their main tool of choice. AsyncRat was also used at the earlier stages of infection.
Based on used infrastructure, it was established that CobaltStrike is another tool from the attackers’ arsenal. The target of this operation was a company activating in the Technology/IT Services industry in East Asia.
Microsoft WMI Provider Subsystem
\\tsclient\c\subfolders if tsclient share was enabled.
An up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.