A hitherto unknown attack group has been observed targeting a materials research organization in Asia. The group, which Symantec calls Clasiopa, is characterized by a distinct toolset, which includes one piece of custom malware (Backdoor.Atharvan). At present, there is no firm evidence on where Clasiopa is based or whom it acts on behalf.

The group's first known operation was in late 2012, when a watering hole attack was launched against the Indian Institute of Science's Web site. The attack used a drive-by download to infect visitors using the Internet Explorer browser, who were redirected to websites hosting Backdoor.Atharvan.

The attackers are targeting a wide range of industries and business sectors in their activities. The primary targets seem to be companies that work with scientific and engineering-related products and services such as software development and computer hardware research and development. Reports indicate that the group has been active since at least 2011, with activities taking place across India, Malaysia, Taiwan, Thailand and Indonesia since then. The group is also known for using social engineering tactics to gain access to its targets.

Symantec has identified five different operations. In all cases, the malware was distributed via drive-by downloads, but the attack vector appears not to be a browser exploit. Instead, the attackers are leveraging a combination of backdoor malware and an exploit code to gain persistence within targeted systems.

"It's one of these very rare examples where we have full coverage," said Symantec researcher Alexander Polyakov in an interview with SCMagazineUS.com. "We don't do much work in Asia per se but we have active relationships in India and so they notified us that this kind of activity was happening."

‍

Source: Clasiopa: New Group Targets Materials Research - AlienVault - Open Threat Exchange