CactusPete hackers go on European rampage with Bisonal backdoor upgrade

The APT is attacking banks and military organizations in Eastern Europe.
Written by Charlie Osborne, Contributing Writer

An advanced persistent threat (APT) group has evolved the Bisonal new backdoor for use in attacks against financial and military organizations across Europe. 

First spotted in 2013, the CactusPete APT -- also tracked as Karma Panda -- has been linked to cybercriminal campaigns across Europe, Russia, Japan, and South Korea. 

See also: Black Hat: Hackers can remotely hijack enterprise, healthcare Temi robots

Cisco Talos researchers say that the group, named internally as Tonto Team, is likely a state-sponsored APT belonging to the Chinese military focused on intelligence-gathering and espionage. 

Kasperksy Labs researchers are of the same opinion when it comes to spying activities. Adding that CactusPete has also been known to strike diplomatic and infrastructure organizations, the team says that the group appears to be after "very sensitive" information. 

On Thursday, Kasperksy published an update on the APT's activities. A new campaign focused on military and financial groups across Eastern Europe is taking place, together with the use of a new Bisonal backdoor variant. 

Back in March, Talos documented one of the latest strains of the Bisonal Trojan in use, an interesting element of the APT's toolset considering the age of the malware. 

Bisonal has been in active development for over a decade. The Trojan uses dynamic DNS to communicate with a command-and-control (C2) server, has continually improving obfuscation modules, and in the latest versions, also includes XOR encoding and support for proxy servers, among other features. 

As a cyberespionage tool, the backdoor is capable of maintaining persistence on an infected machine, scanning drives, listing and exfiltrating files of interest, deleting content, killing system processes, and executing code, such as the launch of programs and remote shells. 

CNET: Facebook, Google, Twitter team up on election security ahead of RNC and DNC

According to Kasperksy, research began with only one sample of the new malware in February, and since then, over 20 new samples per month of the latest Bisonal variant are appearing.  

A recent tweak is the use of hardcoded Cyrillic code during string manipulations and campaigns at large, due to the languages used by intended targets across Eastern Europe. 

"This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands," the researchers note. 

TechRepublic: Zero trust is critical, but very underused

Bisonal is also used in tandem with keyloggers and custom versions of Mimikatz for data exfiltration and the theft of user credentials. 

Past campaigns use phishing methods, such as seemingly-legitimate emails with malicious attachments, to compromise a victim's machine. Kaspersky says that the initial attack vector for the European campaign is unknown, but spear-phishing is likely to be the case, given CactusPete's previous escapades. 

Kaspersky also noted that while CactusPete is not as sophisticated as many other APTs, it is possible that the cyberattackers have recently been bolstered with new support and resources due to the deployment of more complex code and tools, including ShadowPad server software, throughout 2020. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards