ATK112

Presumed Origin: < Back

Alias: APT-C-38, ZooPark

ATK112 (aka: ZooPark by Kaspersky) is a group that mostly uses an Android Malware, "UnitMM", which saw multiple iterations. This group was first noticed in June 2015, and is still active to 2018.

 

The group mostly focuses on espionage, and has seen technical progresses since its debuts: While it first used forked commercial software in order to accomplish its deeds, the group extended it and brought it to a fully-fledged espionage platform.


According to 360 Beaconlab however, the group purchases its malicious software from a commercial development group, nicknamed "Apasec".

 

Hackers mainly used waterhole attacks as infection vector, the experts discovered several news websites that have been compromised to redirect visitors to a downloading site that delivered the final malware.

 

The group deploys its tools through multiple main vectors: Telegram channels and watering holes.
Indeed, it regularly uses compromised websites in order to gain access its targets.

 

The group also started using an exclusive Windows malware, nicknamed "SpecialSaber".

 

Références :

REFERENCES

Target sector

  • International Organizations
  • Media
  • Political Organizations

Target countries

  • Egypt
  • Iran, Islamic Republic Of
  • Iraq
  • Jordan
  • Kuwait
  • Lebanon
  • Morocco

Attack pattern

  • T1003 - Credential Dumping
  • T1022 - Data Encrypted
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1074 - Data Staged
  • T1083 - File and Directory Discovery
  • T1089 - Disabling Security Tools
  • T1113 - Screen Capture
  • T1114 - Email Collection

Motivation

  • Espionage
  • Information theft

Malwares

  • SpecialSaber
  • UnitMM

Vulnerabilities