APT attacks’ impacts are most noteworthy in three fields: destruction of industrial systems, crimes in financial systems, and geopolitical impacts. In the next few years, APT attacks will show the following four trends: cyberspace will become a new battlefield for the world’s big powers, destructive attacks on infrastructure will become increasingly active, there will be a remarkable increase in attacks on particular individuals’ mobile devices, and Belt Road and military-civilian integration will be the focus of attacks.
A common method attackers use to hide their trace is to cloak malicious exe files with Word or PDF icons so that users will not tell the difference without looking into the file attribution or property. The Sphinx attackers adopt it as well, but they also attempt to conceal the attacks by making the master program “invisible”. In our analysis, Sphinx’ master program was found to be disguised with Word icon in order to trap users to click. Upon clicking, the master program released several DLL files. The files can be categorized into 9 types of plugin modules by functionality. The core DLL fill could be self-started after registering as a plugin of the resource management panel. Then, based on different configurations, remote injection was triggered to inject other functional DLL to corresponding running process. This way, when the malware was running, the master program had already been split into several imperceptible pieces. That decreases the risk for the targets to realize the existence of the malware. Multiple encryption algorithms were adopted simultaneously to hamper the detection.
Operation Mermaid is a series of outbound APT attacks that target government entities. It has been active for 6 years since April, 2010 with a latest activity being detected in January, 2016. As of now, we have captured 284 pieces of malicious code samples and 35 CC domains connected to it. Sufficient evidence has been found that the Mermaid turns out to be the APT organization behind the attacks on Denmark Embassy
What also caught our attention is that members of this organization communicated via Onion.City so that they could visit domains in the Deep Web without the help of Tor browser. This has created an ideal invisible cloak for the hackers in the anonymous environment of Tor. In addition, our in-depth analysis prevails that this threat actor tried to fly false flags or mislead investigators by adopting the techniques and resources of other APT organizations that are already revealed to the world.