Palmerworm, an advanced persistent threat group that’s been active since 2013, is waging a cyber espionage campaign targeting organizations in the U.S. and Asia. Palmerworm hackers are using new customized malware as well as “living off the land” techniques – manipulating tools and commands already built into an operating system for malicious purposes. The APT group, which is also known as BlackTech, has waged long-term espionage campaigns that target a variety of industries. In its earlier campaign, which started in August 2019, the hackers have targeted news media, electronics and finance companies in Taiwan, an engineering company based in Japan and a construction company in China as well as U.S. organizations.
While we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage group, and its likely motivation is considered to be stealing information from targeted companies. Although it’s not clear how the threat actor gained initial access in this campaign, they have previously used spear-phishing emails. The APT group is using previously unseen malware families lebelled Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit and Backdoor.Nomri. The malware, however, might be new versions of earlier malware variants used by the gang. Palmerworm also uses a custom loader, called Trojan Horse, and a network reconnaissance tool known as Hacktool. The APT group uses the dual-use tools Putty, PsExec, SNScan and WinRaR, which other hacking groups also frequently weaponize. These tools provide attackers with a good degree of access to victim systems. Palmerworm also uses stolen code-signing certificates for its payloads as an obfuscation technique.