A new threat group has appeared on the cybercrime scene and appears to be going after targets in Asia – however, it is not known which country it is affiliated to, with indicators suggesting India likely to be “false flags”, according to researcher Symantec.
Dubbed Clasiopia by the cyber analyst, the threat group was observed targeting a research body in Asia with what looks to be a custom-made malware tool known as Backdoor.Atharvan.
The latter takes its name from a legendary Hindu sage in ancient Vedic scripture, though Symantec believes this could simply be a red herring left by cunning threat actors.
“There is currently no firm evidence on where Clasiopa is based or what its motivation is,” it said. “While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue.”
The cybersecurity firm was also left similarly mystified as to the new threat group’s exact modus operandi when it comes to breaching target organizations.
“The infection vector used by Clasiopa is unknown, although there is some evidence to suggest that the attackers gain access through brute force attacks on public facing servers, added Symantec.
Other hallmarks signs of Clasiopia’s attack vector to watch out for include using the URL https://ifconfig.me/ip to verify the internet protocol address of a target, and opening multiple backdoors to access systems and build up lists of file names for exfiltration – in layman’s terms, stealing.
Symantec also reports that Clasiopia appears to be using legal tools in its hardware kit, too: one target computer it looked at was found running “Agile DGS and Agile FD servers, software developed by Jiangsu”.
More from Cybernews:
Subscribe to our newsletter