Threat actor uses custom remote access Trojan.
Clasiopa targets materials research organizations.
Symantec describes a previously unobserved threat actor the company calls “Clasiopa” that targeted a materials research firm in Asia.
Clasiopa’s unique toolset.
The threat actor uses a combination of publicly available and custom-made malware tools, including a bespoke remote access Trojan called “Atharvan.” Clasiopa also may have abused two legitimate software packages in its attacks:
“One compromised computer was running Agile DGS and Agile FD servers, software developed by Jiangsu. These packages are used for document security and protection in transit. Malicious files were dropped into a folder named “dgs” and one of the backdoors used was renamed from atharvan.exe to agile_update.exe. It is unclear if these software packages are being injected into or installed by the attackers.
“HCL Domino (formerly IBM Domino) was also run on a compromised machine in close proximity to the execution of backdoors, although it is unclear if this was a coincidence or not. However, both the Domino and Agile software appear to be using old certificates and the Agile servers use old vulnerable libraries.”
No attribution.
Symantec says there’s no firm evidence pointing to who might be behind Clasiopa. Some of the threat actor’s malware contains references to India and Hinduism, but the researchers believe these are obvious enough that they could be false flags.