Home Malware Programs Advanced Persistent Threat (APT) Cycldek

Cycldek

Posted: June 4, 2020

Cycldek is an Advanced Persistent Threat (APT) group whose activity was first analyzed and described in 2018 – thanks to the information gathered, cybersecurity experts were able to track Cycldek's activity back to 2014. The campaigns of these hackers are usually focused on the Southeast Asia region, and their targets include high-ranking government officials and various government entities frequently. The criminals use a rich arsenal of custom-built malware, as well as living-off-the-land tools that have been adopted by multiple cybercrime organizations. Recently, Cycldek has attracted the attention of anti-virus vendors worldwide by implementing a new tool in its attacks – USBCulprit, a piece of malware that appears to be dedicated to infecting air-gapped networks and collecting data from them.

Cycldek is believed to originate from China, and it is interested in Vietnam, Thailand and Laos mainly. However, remnants of its activity have been found on infected networks in other parts of Southeastern Asia.

One of the group's most notorious Remote Access Trojans (RATs) is the NewCore RAT – they have used its modules to craft two similar other RATs that have identical features but appear to have entirely different implant properties. One of the threats is labeled BlueCore RAT, while the other goes by the name RedCore RAT.

Public tools that the Cycldek makes use of include:

  • HDoor – A very old backdoor Trojan that has been used by multiple APT actors in China.
  • JsonCook – A tool meant to exfiltrate cookies from Chromium-based browsers by exploiting the SQLite databases used to store this information.
  • ChromePass – A tool used to collect passwords saved in Chromium-based Web browsers.

APT groups that invest time in resources in malware projects that target air-gapped networks are becoming a more common occurrence, and Cycldek is one of the latest names on this list. Cycldek's campaigns are ongoing, and the hackers update their payloads and network infrastructure frequently to avoid detection.

Loading...