France, Russia, Switzerland, Germany, Austria, Slovenia, Kazakhstan, United Arab Emirates, Algeria, USA
Exploits
Watering hole attacks
Cyberespionage
Data theft
The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests
Information technology
Software companies
Financial institutions
Specific individuals
Trade and commerce
Private companies
Pharmaceutical
Manufacturing
Investments
The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication. In addition to that, Kaspersky Lab researchers have found another non-English string which is the Latin transcription of the Russian word “Успешно” ("uspeshno" -> "successfully").
The blog post and research paper are available atSecurelist.com
