ESET unveils EmissarySoldier: The team campaign APT LuckyMouse attacks government networks and private companies (telecommunications, media and banks) in Central Asia and the Middle East
• The research included in the Report of the global cybersecurity company ESET on the Public Sector and which incorporates opinions of the European Commission, the CERN and Europol, was recently presented at a virtual conference for ESET Europe Cyber Security Day.
• The biggest challenge and common enemy for all governments is the Advanced Persistent Threat Groups (APT).
The European Union's cybersecurity strategy, like the strategy of all governments internationally, faces challenges not only from the adoption of the "digital by default" principle default), αλλά και από την πανδημία COVID-19, από τη μαζική εφαρμογή της τηλεργασίας (από το σπίτι), καθώς και από απειλές όπως η κυβερνοκατασκοπεία, το ransomware και οι επιθέσεις στο δίκτυο της εφοδιαστικής αλυσίδας (supply-chain attacks). Η μεγαλύτερη πρόκληση από όλες όμως, και κοινός εχθρός για όλες τις κυβερνήσεις, είναι οι ομάδες προηγμένων επίμονων απειλών (APT).
APT teams utilize sophisticated tools
ESET's global Public Sector's report on public sector was recently presented at a virtual conference for ESET Europe Cyber Security Day. The report examines the potential threats posed by APT teams, highlights their complex nature, and focuses on the EmissarySoldier campaign, a malicious campaign launched by the APT LuckyMouse team using the SysUpdate toolkit to attack machines, some of which ran Microsoft SharePoint application.
This LuckyMouse team analysis looks at the relatively unknown SysUpdate toolkit - the first samples of which were discovered in 2018. Since then, the toolbox has seen various stages of development. The LuckyMouse team installs malware της εφαρμόζοντας μια στρατηγική τριών στοιχείων: μια νόμιμη εφαρμογή ευάλωτη σε παραβίαση DLL, ένα προσαρμοσμένο αρχείο DLL που φορτώνει κακόβουλο αρχείο και ένα αρχείο raw binary payload encrypted with the Shikata Ga Nai algorithm.
Overview of the three-element model
Because SysUpdate's modular architecture allows its operators to limit exposure to malicious objects at will, ESET researchers have not been able to recover any malicious part and believe that this will be a constant challenge in future analyzes. However, the LuckyMouse team increased its activity in 2020, possibly going through an update process where various functions were gradually integrated into the SysUpdate toolkit.
Monitoring the evolution of tools exploited by APT groups such as the LuckyMouse group is a key concern, as governments have a responsibility to ensure stability for citizens, the business environment, and cooperation with other nation-states. These governance functions are under threat as LuckyMouse and other APT groups, including government agencies and their partners, target platforms broad collaboration such as Microsoft SharePoint and the provision of digital services.
The Public Sector in focus
In 2020 and 2021, several ESET research collaborations matured, including collaborations with the European Organization for Nuclear Research (CERN), the European Police Office (Europol) and the French Information Systems Security Agency (ANSSI). As highlighted in the virtual event and in the report, governments and their IT infrastructure are considered to be the default targets.
According to the report, technology experts must continue to support governments in closing security gaps and monitor the tactics, techniques and procedures of APT teams through the various Endpoint detection and protection technologies available to them.
