An advanced persistent threat actor (APT) group has been caught cyber-spying on financial and military organizations in Eastern Europe.
CactusPete, also known as Karma Panda or Tonto Team, has been active since at least 2012 but appears to have ramped up its activities over the past year and a half.
Researchers at Kaspersky were able to link hundreds of samples of a backdoor called Bisonal to a campaign orchestrated by CactusPete. The samples appeared between March 2019 and April 2020 at a pace of around 20 samples per month, which researchers believe "underscores the fact that CactusPete is developing rapidly."
The threat group's most recent wave of activity was first detected by researchers in February 2020, when they discovered an updated version of Bisonal. This version was linked to over 300 other samples in the wild using Kaspersky Threat Attribution Engine, a tool for analyzing malicious code for similarities with code deployed by known threat actors.
"This time, they’ve upgraded their backdoor to target organizations in the military and financial sectors in Eastern Europe, most likely in an effort to gain access to confidential information," wrote researchers.
"The speed at which the new malware samples are being created suggests the group is rapidly developing."
Researchers found evidence that the group has refined its capabilities, gaining access to more sophisticated code like ShadowPad in 2020. They believe that CactusPete is on the hunt for "highly sensitive information" and warned organizations in the Eastern European region to be on alert.
Explaining how the threat group's malicious payload functions, researchers said: "Once installed on the victim’s device, the Bisonal backdoor it uses allows the group to silently start various programs, terminate any processes, upload/download/delete files, and retrieve a list of available drives.
"In addition, as the operators move deeper into the infected system, they deploy keyloggers to harvest credentials and download privilege escalation malware to gradually gain more and more control over the system."
While previous campaigns by the group used spear-phishing to attack victims, researchers were unable to pin down how CactusPete is getting targets to download the latest version of their backdoor.