In order to avoid drawing too much attention and establish persistence in targeted networks, a nation-state threat actor was observed using cryptocurrency miners, Microsoft reported on Monday.
These miners generate low-priority alerts typically associated with cybercrime activities, particularly since they are not sophisticated threats, and security teams do not treat them with high urgency.
This is precisely why in campaigns running from July to August 2020, a nation-state actor tracked by Microsoft as BISMUTH, which shows a number of similarities with a Vietnam-linked group named OceanLotus, adopted crypto-miners. Private and government organisations in France and Vietnam were targeted by the attacks.
BISMUTH, active since at least 2012, has been observed to carry out complex cyber-espionage attacks targeting governments, multinational corporations, the sectors of education and financial services and human rights and civil rights entities.
The group is known for the use of both custom and open-source tools and for leveraging techniques that range from typical to more advanced, focusing primarily on the establishment of continuous surveillance and espionage and the stealing of interesting data.
The use of coin miners by BISMUTH is in line with its methods of blending in. The attacks involved the use of specifically tailored spear-phishing emails for the target and the heavy use of DLL side-loading (leveraging copies of legitimate software, such as outdated versions of Microsoft Defender Antivirus, Word 2007, Sysinternals DebugView, and a McAfee on-demand scanner).
Microsoft notes that if we learned anything from ‘commodity’ banking Trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more advanced cyber attacks and should be handled urgently and thoroughly investigated and resolved.
At each target organisation, spear-phishing emails were sent to a single receiver. Before attempting to trick them into opening malicious attachments, the group would also correspond with some targets.
Once it has compromised a network, before moving laterally to high-value targets, such as servers, the opponent performs extensive discovery (this stage could take up to a month). Along with KerrDown, an exclusive, custom BISMUTH malware family, Evasive PowerShell scripts are used to ensure the activity remains undetected.
Directory forest, domain organisational unit (OU) data, credentials, and domain trust information were included in the information that the opponent would collect. The group would also ping databases and file servers with high-value data and would drop a Cobalt Strike beacon and set up a persistence scheduled task.
Vietnam’s targets included organisations such as former state-owned enterprises (SOEs), organisations owning large portions of former SOEs, and organisations conducting transactions with Vietnamese government agencies.
“Although the specific objectives of the group for these recent attacks cannot be defined with high confidence, the past activities of BISMUTH have included operations in support of wider targets of espionage,” notes Microsoft.