APT Group Upgrades Malware from the Black Market into Dangerous Backdoor

Cyber-espionage group targeted companies in Asia. Details about the operations of a new cyber-espionage group are emerging, and this gang has been buying malware from the black market and evolving it into powerful and undetectable backdoors.

The group, dubbed Shrouded Crossbow by Trend Micro’s researchers, has been extremely active since 2010, when the first signs of their existence could be traced, and they heavily targeted both the private and the public sectors of many Asian countries.

Digging deep into data from the group’s operations, security researchers found many clues that led them to believe that, at one point, the organization bought the BIFROSE (or Bifrost) malware from underground marketplaces.

APT Group Upgrades Malware from the Black Market into Dangerous Backdoor

Shrouded Crossbow derived their own tools from the BIFROSE codebase

BIFROSE is a very capable remote access trojan (RAT), used widely in cyber-espionage campaigns, including many covert spying capabilities. The average price of a BIFROSE package on the Dark Web is around $10,000 / €9,400.

The group’s members used this malware as the basis for creating other spying tools of their own. Trend Micro discovered a much-simplified backdoor utility named XBOW and a modified version of the KIVARS backdoor.

Both shared lots of code with the standard BIFROST malware and were used on the same C&C infrastructure from where the group was carrying out their normal operations.

“Our research indicates that the group has sufficient financial resources to purchase the source code of a widely available malware tool, and the human resources to design improved versions of its own backdoors based on this,” says Razor Huang, Threats Analyst for Trend Micro.

Shrouded Crossbow is a very large cyber-crime syndicate

Based on the file naming scheme used to compile different versions of the XBOW backdoor, Mr. Huang estimates that at least ten developers worked on the malware’s code. This is a very high number of people, with normal cyber-crime gangs rarely counting more than ten members in total.

Add to this the number of people involved in the spear-phishing campaigns used to distribute the backdoors, and the people in charge of managing the 100+ C&C servers, and Shrouded Crossbow becomes one of the largest cyber-crime syndicates ever discovered.

During the past five years, Trend Micro reports that the group targeted privatized government agencies, government contractors, and companies from the consumer electronics, computer, healthcare, and financial sectors. The security vendor did not speculate on the group’s origin country.