APT Groups Get Innovative -- and More Dangerous -- in Q3

In curious trend, more threat actors diversified their tool sets in the third quarter than usual.

Even the most sophisticated advanced persistent threat groups (APT) tend to stick with old tactics, techniques, and procedures as long as they work. However, whenever needed, the groups can innovate in extremely dangerous ways.
A threat campaign last quarter — in which a so-far-unknown attacker modified platform-level firmware to plant exceptionally persistent and hard-to-remove malware on an organizations system — is a case in point.
It was one of several new and sophisticated attack tactics that security vendor Kaspersky
observed
in the third quarter of this year as APT groups diversified their tool sets in larger numbers than usual. In a report this week, Kaspersky described the activity as curious and an example of how APT threat actors reinvent themselves and their tool sets even as they rely on old tools and tactics when possible.
Mark Lechtik, senior security researcher at Kaspersky, says at least two organizations were infected with the malicious firmware implant. Both were diplomatic entities based in Asia.
He describes the attack as involving the introduction of rogue logic into existing Unified Extensible Firmware Interface (UEFI) firmware.
UEFI
is a specification for the interface between a computers operating system and platform firmware. UEFI has mostly replaced the traditional BIOS in modern PCs.
The UEFI modification allowed the attacker to install malware that was so persistent it could survive operating system reinstallation and even replacement of the hard drive. Such campaigns are not very common for several reasons, Lechtik says. Most notably, introduction of rogue logic into an existing UEFI firmware is a complicated process that typically requires finding security soft spots in the targeted platform.
To install malware on a device via the UEFI firmware, an attacker would need to find a way to write to the SPI flash chip, determine if the firmware in question enforces digital signatures, and then find a way to bypass those mechanisms, he says.
In order to execute such an attack successfully, an attacker would likely need some kind of physical access to the target device and get it to boot from a USB with a utility that can overwrite the UEFI firmware with malicious code. At least one other entity, surveillance company the Hacking Team, used the same tactic to deploy a backdoor on systems. It is plausible that in spite of the complexity of compromising UEFI firmware, there are more cases of infection in the wild that we are yet to discover, Lechtik says.
Another example of a threat actor that diversified its tool set in a unique manner last quarter was Ke3chan, an APT group believed to be based in China. Kaspersky researchers observed the threat actor using
steganography
to hide malware in a Windows Defender binary digitally signed with Microsofts Authenticode code-signing technology.
Cracking the Code
We see various sorts of steganography in use in different attacks by different APT actors, says Ariel Jungheit, senior security researcher at Kaspersky. What made this attack different was the manner in which an Authenticode-signed executable was abused, he says. Ke3chang found a way to embed the payload without invalidating the Authenticode signature — something we havent seen being used by a threat actor before.
More generally, APT groups targeted more platforms, developed new infection chains and leveraged legitimate services as part of their attack infrastructure, Kaspersky said in its report. As an example of the expanded use of legitimate services in attacks, Jungheit points to threat actors using Google Drive, OneDrive, Dropbox, and web application development platforms such as Firebase to geofence attacks.
Kaspersky also observed threat actors increasingly using lesser-known programming languages to develop their malware. Weve seen APT actors make use of tools and malware written in Go as well as Python scripts in their attacks, he says.
For organizations, the main takeaway from the APT activity last quarter is that they need to pay attention to finding malicious activity in new and likely legitimate environments. While in the past it was easier to allow access and perhaps not monitor communications with popular cloud services, its now less advised to do so.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
APT Groups Get Innovative -- and More Dangerous -- in Q3