Middle Eastern APT group DeftTorero deploys new tactics

Mid-2021, researchers from Kaspersky uncovered a slew of new attacks by the Middle Eastern APT group known as DeftTorero, or the Volatile Cedar.

The group has been active since 2012, targeting the government, military, education, corporate and telecoms, particularly across the UAE, Saudi Arabia, Egypt, Kuwait, Lebanon, Jordan, and Turkey.

In the past, the group relied heavily on a custom-made remote access Trojan named Explosive, which was implanted in its targets such as publicly accessible web servers or internal systems, to harvest sensitive information.

In addition, DeftTorero chose only a handful of targets to limit its exposure. Once in control of an Internet-exposed server, it penetrated the internal network via various means, including password stuffing or reuse.

Kaspersky has had an eye on the group since 2015, but the group went radio silent and no new intelligence or intrusions were reported until last year, leading the security giant to suspect a possible shift in the tools, tactics and procedures that the bad actors used to camouflage their activity, by using fileless malware to remain undetected.

A further investigation revealed that Volatile Cedar possibly exploited a file upload form and, or a Web application command injection vulnerability in a functional or staging Web site hosted at the target Web server to install a webshell.

In other instances, plugins pre-installed by the server admins were likely exploited, and server credentials from systems in the same organisation were used to log in via a remote desktop protocol to deploy a malicious script or webshell.

Once the DeftTorero found a way to upload the malicious script, they attempted to drop additional tools to penetrate into internal systems. Kaspersky’s intrusion analysis highlighted that almost all the web shells deployed collectively originated from a GitHub account and were either used as is or were slightly modified.

Ariel Jungheit, a senior security researcher at Kaspersky GReAT, says these groups are highly creative when it comes to evading detection.

“Although DeftTorero did not have a high level of technological prowess in the past, time proved that open-source tools, fileless attacks and tooling modification is still used to successfully compromise victims,” he explains.

Using backdoors, the APT group is able to not only find gateways to its target, but also use it to connect to other servers, and because these attacks develop rapidly and often go undetected, it is crucial to mitigate them in the early stages.

“It is our advice that organisations constantly monitor the vulnerabilities rising from publicly accessible web applications as well as to monitor for web apps file integrity,” Jungheit adds.

To avoid falling victim to this group, Kaspersky researchers recommend thoroughly assessing Web vulnerabilities, which includes monitoring the file integrity on Web servers.

In addition, it says to scan web server backups occasionally, as some of the threat actor tools were located in backups, and if the backups were restored at a later stage, the attacker could regain persistent access and continue where they left off.

Finally, IT administrators should be aware of their own publicly exposed attack surface such as Web applications and FTP servers.