Kaspersky researchers have been able to link more than 300 samples of a backdoor named Bisonal to the campaign of the persistent advanced threat agent (APT) CactusPete, a cyberespionage group active since at least 2012. This campaign has focused on military and financial objectives in Eastern Europe and highlights the rapid development of the group.

CactusPete, also known as Karma Panda or Tonto Teaь, has improved its back door to focus on representatives of the military and financial sectors in Eastern Europe, in order to gain access to confidential information. Additionally, the speed at which new malware samples are created suggests that the cluster is developing rapidly, so such organizations should be vigilant.

Kaspersky detected in February 2020, when they discovered an updated version of the group’s Bisonal backdoor. Using the Kaspersky Threat Attribution Engine, a tool that analyzes malicious code for similarities to those used by known threat actors to determine which group is responsible for an attack, they linked this sample to more than 300 freely used around the world.

All 300 samples appeared between March 2019 and April 2020, approximately 20 samples per month, underscoring the fact that CactusPete is developing rapidly. Indeed, the group has continued to refine its capabilities, as in 2020 it has gained access to a more complex code such as ShadowPad.

Do you want to know more about Kaspersky ?

The payload’s functionality suggests that the group is looking for highly confidential information. Once installed on the victim’s device, the Bisonal backdoor they employ allows the group to stealthily launch various programs, terminate processes, upload, download and delete files, as well as retrieve a list of available disk drives. Additionally, as operators delve deeper into the infected system, they install keystroke detectors to collect credentials and download privilege escalation malware, gradually gaining more control over the system.

It is unclear how the backdoor was initially downloaded in this latest campaign. In the past, CactusPete has mainly used spear-phishing with emails containing malicious attachments. If that attachment is opened, the device is infected.

To protect your institutions against CactusPete and other APTs, Kaspersky experts recommend: