APT Patchwork‘s “Herminister Operation” | Desmond Dai & Bohang Mo
In 2022, Knownsec APT TI team discovered a series attack from APT Patchwork. During the tracking, we found bundles of weapons belonging to the attack, which we name “Herminister Operation”; by one of its weapon name.
Through analysis, we confirmed the weapons in the arsenal used in the Herminister operation had not been previously disclosed by the community. The Patchwork arsenal uses a large number of open-source red team tools, and it also conducts secondary development on the free tools.
Additionally, we discovered specific strings which belong to Confucious APT team also used in Herminister, suggesting shared resources among South Asian APT groups.
The whole arsenal contains multiple sets of attack chains, each equipped with a full range of functions including information gathering, UAC-ByPass, intra-domain lateral movement, isolation network propagation, installation and deployment, downloader, RAT, key-logger, screen-capture tool. Total number of weapons is 76.
This talk will focus on sharing the arsenal, techniques and tactics of the “Herminister Operation”.
#SAS2023 #Herminister #HerministerOperation #Kaspersky
by Kaspersky Tech
simple network management protocol