New Hacking Cluster ‘Clasiopa’ Targeting Materials Research Organizations in Asia

1 year ago AndyC

Materials
research
organizations
in
Asia
have
been
targeted
by
a
previously
unknown
threat
actor
using
a
distinct
set
of
tools.

Symantec,
by
Broadcom
Software,
is
tracking
the
cluster
under
the
moniker

Clasiopa.

Materials
research
organizations
in
Asia
have
been
targeted
by
a
previously
unknown
threat
actor
using
a
distinct
set
of
tools.

Symantec,
by
Broadcom
Software,
is
tracking
the
cluster
under
the
moniker

Clasiopa.
The
origins
of
the
hacking
group
and
its
affiliations
are
currently
unknown,
but
there
are
hints
that
suggest
the
adversary
could
have
ties
to
India.

This
includes
references
to
“SAPTARISHI-ATHARVAN-101”
in
a
custom
backdoor
and
the
use
of
the
password
“iloveindea1998^_^”
for
a
ZIP
archive.

It’s
worth
noting
that

Saptarishi,
meaning
“Seven
sages”
in
Sanskrit,
refers
to
a
group
of
seers
who
are
revered
in
Hindu
literature.

Atharvan
was
an
ancient
Hindu
priest
and
is
believed
to
have
co-authored
one
of
the
four

Vedas,
a
collection
of
religious
scriptures
in
Hinduism.

“While
these
details
could
suggest
that
the
group
is
based
in
India,
it
is
also
quite
likely
that
the
information
was
planted
as
false
flags,
with
the
password
in
particular
seeming
to
be
an
overly
obvious
clue,”
Symantec
said
in
a

report
shared
with
The
Hacker
News.

Also
unclear
is
the
exact
means
of
initial
access,
although
it’s
suspected
that
the
cyber
incursions
take
advantage
of
brute-force
attacks
on
internet-facing
servers.

Some
of
the
key
hallmarks
of
the
intrusions
involve
clearing
system
monitor
(Sysmon)
and
event
logs
as
well
as
the
deployment
of
the
multiple
backdoors,
such
as
Atharvan
and
a
modified
version
of
the
open
source
Lilith
RAT,
to
gather
and
exfiltrate
sensitive
information.

Atharvan
is
further
capable
of
contacting
a
hard-coded
command-and-control
(C&C)
server
to
retrieve
files
and
run
arbitrary
executables
on
the
infected
host.

“The
hard-coded
C&C
addresses
seen
in
one
of
the
samples
analyzed
to
date
was
for
Amazon
AWS
South
Korea
(Seoul)
region,
which
is
not
a
common
location
for
C&C
infrastructure,”
the
company
pointed
out.

The
disclosure
comes
a
day
after
the
cybersecurity
firm
took
the
wraps
off
another
hitherto
undocumented
threat
group
known
as

Hydrochasma
that
has
been
observed
targeting
shipping
companies
and
medical
laboratories
in
Asia.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts