Hacking Group ‘ModifiedElephant’ Has Been Living Out of Sight for a Long Time
Now Its Activities Have Been Unveiled by Reseachers.
Last updated on April 13, 2022
It has been discovered that a hacking group dubbed ‘ModifiedElephant’, described as an APT (advanced persistent threat) actor has been engaging in its malicious activities in secret for a decade, avoiding detection and correlation between attacks due to the employed methods.
Bringing ‘ModifiedElephant’ Out of the Shadows
Researchers from SentinelLabs have recently published a report where they went into details over the methods used by ‘ModifiedElephant’ APT.
Reportedly, the campaigns’ lures have been identified to be politically linked and frequently customized depending on the target.
The legitimacy aspect of emails has been also approached in different manners.
This includes fake body content with a forwarding history containing long lists of recipients, original email recipient lists with many seemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.
What’s interesting to mention is that the experts did not notice the APT group leveraging any custom backdoor which triggers the conclusion that they don’t show a sophisticated nature.
The malicious actor has been keeping its Visual Basic keylogger the same since 2012, being also available free of charge on hacking forums. However, the experts under discussion are of the opinion that this tool doesn’t function on modern OS versions anymore.
Timeline of ModifiedElephant Campaigns
The main methods of this actor were based on spear-phishing attacks. However, as the years have passed, its methods have evolved. Researchers have also shared in their report a timeline linked to the activity on this actor to emphasize the improvement in attack methods.
Thus, in 2013, ModifiedElephant leveraged email attachments containing false double extensions (file.pdf.exe) for malware dropping purposes.
Then, in 2015 the APT group used password-protected RAR archives. In these attachments, there were included legitimate lure files overlaying malware execution signs.
In 2019 the threat actor group hosted sites that dropped malware and also engaged in abusing cloud hosting services. Then the shift from false documents to malicious URLs happened.
Eventually, in the year 2020, ModifiedElephant made use of RAR files 300 MB in size for bypassing detection purposes.
What’s more, their targets, according to the same report, included free speech defenders, lawyers, academics, and activists of human rights from India.
Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!