Delaware, USA – September 4, 2018 — WindShift APT group targets employees of government agencies and critical infrastructure companies in the Middle East. The APT group conducted highly targeted attacks using Mac malware and remained undetected for several years. The report published by the DarkMatter expert describes how WindShift carefully plans operations and collects information about each of their victims for up to one year. In this phase, attackers use fake social media profiles, they are added to friends and collect sensitive information including telephone numbers and private email addresses to prepare the next step of the attack. In the next phase, attackers collect user credentials and infect devices with malware: they lure their victims to phishing web pages using SMS and emails. This phase takes about a day, after which attackers ‘turn off’ the infrastructure. If the attack fails, hackers from WindShift APT wait half a year before the next attempt. Attackers leverage WindTale (A and B) backdoor to download and install WindTape malware, whose functionality is similar to the Komplex OSX trojan used by Fancy Bear group. The primary function of WindTape trojan is to take screenshots and transfer them to attackers’ server.
The group is very stealthy and does not reuse the infrastructure used in past operations. The expert suggests that WindShift APT started using Winddrop malware to infect Windows users in May 2018. Recently we published information about another attack on Mac users conducted by the Lazarus group. To detect sophisticated cyberattacks, you can use your SIEM with APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-arcsight