An emerging advanced persistent threat (APT) group, named Armored Likho, has been identified as targeting both governmental bodies and electric power companies across several nations, according to a report by Kaspersky.
Armored Likho’s Dual-Edged Strategy
Armored Likho is involved in both financial cybercrimes aimed at individuals and espionage activities against organizations in Russia, Brazil, and Kazakhstan. The group employs a versatile toolkit, including modular remote access trojans (RATs) and information stealers such as the Python-based BusySnake Stealer. They also utilize Go2Tunnel for remote access and network tunneling.
Kaspersky highlights that this array of malware allows the threat actor to maintain covert control over infected systems, extract sensitive data, and deploy custom modules suited to the specific target and mission objectives.
Tactics and Techniques
The primary method of initial compromise used by Armored Likho is spear-phishing. They send emails with attached archives containing executables or LNK files. Once these are opened, they distract the user with decoy content while silently installing malware.
This malware includes a loader that, once executed, retrieves archives from GitHub repositories. These repositories contain early-stage development builds and test samples of the malware. The LNK files present a deceptive document while secretly downloading a Python 3.12 interpreter and an archive in the background.
Advanced Malware Capabilities
The archives feature a Python-based infostealer, BusySnake Stealer, which has numerous evasion techniques. It dynamically decrypts bytecode during function calls and encrypts it immediately afterward, all while operating without a visible console window.
BusySnake Stealer is equipped with multiple handlers to manage different functions, including stealing clipboard content, enumerating files, extracting keys, exfiltrating documents, capturing screenshots, checking for persistence, and executing commands. It can also log keystrokes, decrypt stored passwords from browsers, extract browser cookies, search for cryptocurrency wallets, obtain Telegram sessions and credentials, and establish reverse SSH tunnels for persistent access.
Initially, Armored Likho used Go2Tunnel to create reverse SSH tunnels, but this function is now integrated into the BusySnake Stealer, enhancing the attackers’ ability to maintain remote control over affected systems.
Implications and Future Outlook
Armored Likho’s activities show parallels with the Eagle Werewolf group, as both have utilized similar RAT structures and persistence mechanisms. This overlap suggests a possible collaboration or shared origin. The group’s continued evolution and sophisticated tactics pose significant threats to global cybersecurity.
The ongoing development and deployment of such advanced malware highlight the increasing need for robust cybersecurity measures. Organizations worldwide must enhance their defenses to counteract these complex cyber threats effectively.
