Commands sent by cybercriminals to a web shell during an attack
According to experts, organizations from India (34% of the victims), Brazil, Kazakhstan (18% each), Russia, Thailand (12% each) and Turkey (6%) have already suffered from the group’s actions. Attackers broke into the network perimeter and placed on it a special program through which they gained access to the internal networks of compromised organizations.
How do hackers
As the investigation showed, attackers are moving inside the network either by exploiting the remote code execution vulnerability MS17-010 , or by using stolen credentials.
The general structure of malware and its installation
The success of the attacks of this group is largely facilitated by the fact that most of the utilities used by it to advance within the network are widely used by specialists around the world for network administration. The grouping used public utilities and exploits, for example SysInternals , Mimikatz , EternalBlue , EternalRomance. Using common exploits, criminals infect computers on the organization’s local network and steal sensitive data.
The organization can prevent such attacks using specialized systems of deep traffic analysis that will allow you to calculate suspicious activity at the initial stage of the penetration of attackers into the local network and prevent them from gaining a foothold in the company's infrastructure. In addition, monitoring information security events , protecting the perimeter and web applications will help to detect attacks and counteract them.
According to the data obtained, the identified APT group presumably has Asian roots and is among the Chinese speakers.
During one of the attacks, inadvertently, the attackers incorrectly configured the proxy server, by which they issued their real IP address belonging to the China Telecom provider
In one of the attacks, the group used the PlugX malware, which is traditionally used by many APT groups of Chinese origin, as well as the Byeby Trojan, which was used in the SongXY malware campaign in 2017. In addition, during individual attacks, attackers mistakenly revealed their real IP addresses belonging to Chinese providers.
Conclusion
The group already has behind it several successful hacks, but it makes mistakes that allow us to judge its origin. According to all the data presented, the group comes from Asia and uses previously unknown malware. The Byeby Trojan connects this group with the SongXY group that we discovered earlier, the peak of activity of which occurred in 2017.
We continue to closely monitor the activity of the Calypso group and predict new attacks with its participation.