WindShift APT

WindShift is an Advanced Persist Threat or APT that conducts espionage attacks using long-term social engineering tactics, Trojans and spyware. These operations can maintain themselves over months or even years and will target specific individuals in Middle Eastern governments and businesses. Users should protect themselves through standard methods for averting e-mail-based security risks and use their anti-malware products as necessary for containing or removing WindShift's hacking tools.

The Unseen Winds Blowing through Social Connections

By necessity, the cyber-security industry concerns itself with more than pure software and hardware. Threat actors of all stripes also use psychology as doorways into hacking PCs and other devices, with few entities displaying such attacks better than WindShift. This threat actor, possibly state-sponsored through an unknown Middle Eastern government, wields Trojans and data-collecting spyware as a last resort. Instead, the attackers prefer targeting and manipulating their victims into giving up passwords for facilitating manual, active surveillance.

Portions of the tools and infrastructure in use by WindShift suggest that the APT either hijacks the resources of other threat actors or has other connections to them, including Russia's APT28 or Fancy Bear and the attackers at the helm of Operation Hangover. However, malware experts are placing added highlights on the sheer, long-term nature of WindShift's activities, which consist of predictable phases suited for targeted individual users in 'sensitive' Middle Eastern workplaces, such as a government agency.

• Initially, WindShift creates a fake Web persona through content such as Facebook and Twitter profiles and other socialization services. This years-long endeavor establishes a rapport by soliciting 'friendly' messages from the target, without asking for information, such as passwords.
• After gaining the target's trust, WindShift moves into additional reconnaissance efforts that use e-mail messaging and encourage clicks. Again, there's no unsafe content at this time – the aim is only building up a trusting relationship for the later stage's success.
• Finally, stage three 'goes for the kill' by using fake password recovery alerts, typo-squatted domains, SMS messages, and similar techniques for collecting login credentials. By contrast, the infrastructure here has an extremely short lifespan, usually, no more than a day.
• If these attempts fail, WindShift resorts to the various tools that malware researchers are confirming as being partially custom-made. Phishing e-mail messages use links or attachments for dropping WindTail (a file collector), WindTape (a screen grabber), and various backdoor Trojans or Trojan droppers.

Finding One's Way around Friendly Intel Ops

Although some strings in the Trojans in WindShift's use bear Persian phrases, attribution is arduous with this threat actor, particularly, even more so than with most APTs. However, targets of WindShift's attacks are, relatively consistently, positioned in Middle Eastern governments, or companies dealing with sensitive infrastructure or media. Also, unlike most operations by similar spies, WindShift limits its activities to specific persons – it doesn't seek to breach and compromise the entirety of a corporate network, for example.

Users should avoid underestimating the degree of sophistication in both WindShift's tools (which often use custom certificates and, as noted, rotating domains, for example) and their social engineering strategies. Online persona-related Web content receives appropriate maintenance over months and years and will employ all ordinary channels of communication for gaining the trust of the victim. Any links in the earlier phases of the campaigns will direct users towards safe and legitimate websites, thereby 'softening them up' for later clicks to unsafe content.

Usually, WindShift's Trojans arrive packaged inside of ZIP archives with various fake filenames. The threat actor targets macOS environments, and all users, whether working with Windows PCs or other operating systems, should have compatible anti-malware tools for removing WindTape, WindTail, etc.

WindShift has the funding, the talent, and most importantly, the work ethic and strategizing mindset for getting clicks when they want them, from persons with incredibly sensitive information. When threatening software and social manipulation synergize, they can become even deadlier than either of the two are by themselves.