Cybershption and Penarting Groups have recently been observed actively utilizing boosters in their attacks, not only for financial gains but also to make attribution of attacks more difficult. This tactic serves to distract defenders and create confusion in tracing the source of the attacks.
According to a report by analysts from Sentinellabs and Recorded Future, the Chamelgang APT group, suspected to be connected to China, has been using the CATB Mr. program in attacks on major organizations globally. The group, also known as Camofei, targeted government entities and critical infrastructure from 2021 to 2023, employing sophisticated techniques for initial access, reconnaissance, lateral movement, and extraction of sensitive data.
In November 2022, the group launched an attack on the administration of the President of Brazil, compromising 192 computers. They then deployed the CATB booster program on the network and left ransom notes. Initially attributed to the Teslacrypt group, the attack was later linked to Chamelgang by new evidence presented by Sentinellabs and Recorded Future.
Furthermore, Chamelgang is believed to be responsible for an attack on the All-Indian Institute of Medical Sciences (AIIMS) in late 2022, causing disruptions in medical services. The group is also suspected of targeting a government institution in East Asia and an aviation organization in the Indian subcontinent, using well-known tactics and their own malicious Beaconloader.
In a separate cluster of attacks identified by Sentinellabs and Recorded Future, Jetico Bestcrypt and Microsoft Bitlocker were used instead of CATB for encryption. These incidents affected 37 organizations in North America, South America, and Europe, with similarities to past attacks associated with Chinese and North Korean APT groups.
The attackers typically used BestCrypt for encrypting servers and BitLocker for workstations, leveraging the China Chopper web shell and Active Directory domain controllers for support. The attacks, lasting an average of 9 days, displayed a good understanding of the target environments.
Overall, the use of booster programs in cyberspione activities offers strategic and operational advantages, making it challenging to differentiate between APT groups and cybercriminals. This can lead to misattributions of attacks or obscure the true motives of the attackers, such as data collection.