HQ/EMEAFind out how we can help your business
Threat researchers have discovered a previously unknown hacking group called Clasiopa, targeting materials research organisations across Asia. The findings on this new hacking group have yet to uncover its origins.
However, during the in-depth analysis of the new hacking group, the researchers noticed some references pointing out that Clasiopa might be Indian-based. These clues include the group’s usage of a custom backdoor named “SAPTARISHI-ATHARVAN-101” and a ZIP file password of “iloveindea1998^_^”.
In Sanskrit, Saptarishi means “seven sages” – a group of reputable prophets in Hindu literature. On the other hand, Atharvan was a reference to an ancient Hindu priest. The ZIP file password also shows an evident association with India, but the researchers say this clue is too obvious, thus making them question its connection with the country.
The new Clasiopa hacking group is believed to be leveraging brute-force attacks against internet-facing servers on their operations.
In the group’s attack process, the researchers observed some malicious activities, including clearing the infected machine’s system monitor and event logs. Clasiopa also deploys backdoors during the process, such as the Atharvan and Lilith RAT, used to collect sensitive data from the targets.
The researchers also note that the Atharvan backdoor contacts the threat operators’ hard-coded remote C2 server to retrieve or send files. It can also run arbitrary executables on the infected computer.
An interesting finding on the attack process is the location of the operators’ hard-coded C2 addresses, which were directed towards Amazon AWS South Korea within the Seoul region. According to the analysts, this location is not a common C2 infrastructure observed in cybercriminal groups.
Like many other hacking groups in the wild, Clasiopa intends to keep its operations discreet and undetected inside the infected host while achieving persistence and stealing critical data.
Since most of the group’s victims are Asian organisations, particularly materials research groups, security experts advise entities within this sector and region to upgrade their security measures as early as possible.
