{"id":11264,"date":"2016-02-09T05:30:22","date_gmt":"2016-02-09T10:30:22","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=11264"},"modified":"2020-02-26T11:05:20","modified_gmt":"2020-02-26T16:05:20","slug":"poseidon-apt-boutique","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/poseidon-apt-boutique\/11264\/","title":{"rendered":"The Poseidon&#8217;s Domain"},"content":{"rendered":"<p>Long gone are the days when hackers would make malware just for fun. Nowadays malware is there not to simply cripple a PC, as it once was, but rather to make money for those who have created and infected your computer with it. Cybercrime is an industry unto itself with both large and small players. Our GReAT experts have recently discovered another player in the space, which they have dubbed the Poseidon Group. Their research on this group was presented at the <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/thesas2016\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Security Analyst Summit 2016<\/a>.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06023020\/poseidon-apt-FB.jpg\" rel=\"attachment wp-att-11265\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-11265\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06023020\/poseidon-apt-FB.jpg\" alt=\"Poseidon \u2014 a custom-tailored malware boutique unveiled at #theSAS2016\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>While the research was presented in 2016, the group is hardly a new player. Campaigns from this group seem to have been active since 2005. The first sample that was found is dated back to 2001 Poseidon targets only Windows-based computers ranging from Windows 95 to Windows 8.1 and Windows Server 2012 in the latest samples discovered. The group has a special crush on the domain-based networks, which are typical for big companies and enterprises.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06023017\/poseidon-live-photo.jpg\" rel=\"attachment wp-att-11270\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-11270\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06023017\/poseidon-live-photo.jpg\" alt=\"Poseidon \u2014 a custom-tailored malware boutique unveiled at #theSAS2016\" width=\"1280\" height=\"768\"><\/a><\/p>\n<h3>How Poseidon strikes<\/h3>\n<p>The attacks usually started with spear fishing \u2014 which is a term for common phishing, targeting certain individuals and not involving any mass spam campaigns. Usually it means that criminals turn to <a href=\"https:\/\/www.kaspersky.com\/blog\/social-engineering-hacking-the-human-os\/3386\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">social engineering<\/a> to convince the victim to open a malicious letter.<\/p>\n<p>Once the victim has download the malicious file \u2014 usually a DOC or a RTF document which contains embedded malware \u2014 their computers are compromised. Interestingly enough the Poseidon\u2019s toolkit displays awareness of many anti-viruses and tries to either hide from them or attack these processes as a means of self-defense.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Come and see the very first publicly known English-Portuguese speaking targeted campaign <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/WhoIsPoseidon?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#WhoIsPoseidon<\/a> <a href=\"https:\/\/t.co\/kRbprLA4PD\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/kRbprLA4PD<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/695610810517872641?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 5, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Then malware installed on the PC establishes a connection with a command &amp; control server. The attackers perform a lateral movement, collecting a lot of data and seeking a way to leverage access privileges and to map the network in order to find the exact PC they are looking for. Their main target is usually the Windows Domain Control server and their main goal is stealing intellectual property, trade secrets and other commercially important data.<\/p>\n<p>These attacks are highly customized. In spite the fact that the initial stage is usually the same, all that happens afterwards is designed specifically and personally for each victim \u2014 that\u2019s why the GReAT team decided to call Poseidon a \u2018custom-tailored malware implants boutique. That\u2019s also the main reason why it took so long to link the pieces of puzzle together and to figure out that all the attacks that seemed to be unconnected, were actually performed by one group lurking in the shadows.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">So who is Poseidon? <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Whoisposeidon?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Whoisposeidon<\/a> <a href=\"https:\/\/t.co\/n9bdWP4HYE\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/n9bdWP4HYE<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/696700193866174464?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 8, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The information that Poseidon gathered was typically used to blackmail the victims in order to convince them into hiring Poseidon as a security contractor. Sometimes that didn\u2019t stop Poseidon from continuing the attack or initiating a new one targeting the same company. The campaign is probably not state-sponsored because Poseidon only showed interest in gathering highly valuable commercial data. We believe the information was also frequently sold to other parties who showed interest and had enough money to pay for it.<\/p>\n<p>All <a href=\"https:\/\/www.kaspersky.com\/internet-security?_ga=1.212604438.365796296.1438633439\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Lab products<\/a> are familiar with all known Poseidon threats and detect them as <em>Backdoor.Win32.Nhopro, HEUR:Backdoor.Win32.Nhopro.gen or HEUR:Hacktool.Win32.Nhopro.gen.<\/em><\/p>\n<blockquote class=\"twitter-pullquote\"><p>Poseidon Group \u2014 a custom-tailored malware boutique #TheSAS2016<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fdo5J&amp;text=+Poseidon+Group+%E2%80%94+a+custom-tailored+malware+boutique+%23TheSAS2016+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>What makes Poseidon special, is that it\u2019s the first player in the APT market targeting primarily Portuguese speaking companies or businesses that have joint ventures in Brazil. There are also victims in France, India, Kazakhstan, Russia, United Arab Emirates and United States of America.<\/p>\n<p>By now we know at least 35 victims, including financial and government institutions, energy, telecommunication and manufacturing companies, media and PR agencies. Since it\u2019s hard to distinguish a Poseidon group attack from some other malware injection due to their customized and stealthy approach GReAT researchers believe there are more victims, which are impossible to be identified at this time.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">48 hours to reveal <a href=\"https:\/\/twitter.com\/hashtag\/WhoIsPoseidon?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#WhoIsPoseidon<\/a><br>Come and see <a href=\"https:\/\/t.co\/E3RDQzlSez\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/E3RDQzlSez<\/a> <br>At <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a><\/p>\n<p>\u2014 Dmitry Bestuzhev (@dimitribest) <a href=\"https:\/\/twitter.com\/dimitribest\/status\/696264670546505729?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 7, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Kaspersky Lab is working together with known victims of active infection providing remediation assistance and intelligence reports in order to help them withstand the threat. We were able to sinkhole several Command &amp; Control servers, but Poseidon Group has a habit of frequently changing them and thus remains active for now.<\/p>\n<p>This cyber campaign is a good example of how crucial proper information security policies and security solutions are for large businesses. Stay tuned to learn more about newly discovered APTs, as at the SAS 2016 we would pay a lot of attention to this particular subject.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-cyberattacks\">\n","protected":false},"excerpt":{"rendered":"<p>At The SAS 2016, Kaspersky Lab researchers discussed the newly discovered Poseidon Group.  A custom APT boutique chasing commercially valuable data<\/p>\n","protected":false},"author":696,"featured_media":11266,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2684,2683],"tags":[499,605,36,1425,732,1410,422,113],"class_list":{"0":"post-11264","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-special-projects","9":"category-threats","10":"tag-apt","11":"tag-great","12":"tag-malware-2","13":"tag-poseidon","14":"tag-research","15":"tag-sas-2016","16":"tag-threats","17":"tag-windows"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/poseidon-apt-boutique\/11264\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/poseidon-apt-boutique\/6664\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/poseidon-apt-boutique\/6742\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/poseidon-apt-boutique\/6650\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/poseidon-apt-boutique\/7705\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/poseidon-apt-boutique\/7441\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/poseidon-apt-boutique\/10796\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/poseidon-apt-boutique\/6967\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/poseidon-apt-boutique\/10328\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/poseidon-apt-boutique\/10796\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/poseidon-apt-boutique\/11264\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/poseidon-apt-boutique\/11264\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11264"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11264\/revisions"}],"predecessor-version":[{"id":33633,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11264\/revisions\/33633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11266"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}