On 18th December this year, a company in the US filed a case against the Thallium group in District Court for the Eastern District of Virginia, where the court has now enabled Microsoft to act upon this issues by taking down 50 of the Thallium’s domains that were said to be used for malicious activities. The company’s special units, Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) has been tracking this group since a long time and gathering information to act on them.
What APT37 Does?
Just as other cybercriminal groups, APT37 infects the victims with its malware and then steals information primarily. Later, it stays within persistently and waits for attacker’s commands for future exploitation. After all, every group has its own signature techniques to exploit victims. Here, APT37 mostly relies on a method called Spear Phishing. At first, the group gathers information about the target from various sources like public directories, social media, data banks and other public sources. Later, Thallium will craft a customized phishing email that convinces the victim as real sender and targets them onto them. And when the victim gets enough nervous and clicks on the bait link, it redirects to the malicious site asking for login credentials. Thallium then logs into the victim’s account and check on all his interests, viz emails, calendar appointments, contacts etc. It can even set a mail-forwarding rule to redirect any future emails received by the victim to be transferred to the attacker too. Alongside, the group deploys malware that can exfiltrate data and exploit further. Till date, popular malware used by APT37 is found to be BabyShark and KimJongRAT.