Contents
General description
The activity of the Calypso group was first revealed by specialists of the PT Expert Security Center in March 2019, during work to detect cyber threats. The group has been active at least since September 2016. The group’s main objective is to steal confidential data and its main victims are public institutions of Brazil, India, Kazakhstan, Russia, Thailand and Turkey.
Tools
- Calypso RAT
- Hussar
- FlyingDutchman
Target sectors
- State structures
Target countries
- Brazil
- India
- Kazakhstan
- Russia
- Thailand
- Turkey
Objectives
- Espionage
Alternative group names
None
Reports by Positive Technologies and other researchers
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Execution | ||
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Calypso uses cmd.exe to execute commands in the system. |
Persistence | ||
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The BAT script Install as part of Calypso malware allows persistence in the system through the system registry startup key: "HKCU\Software\Microsoft\Windows\CurrentVersion\Run key." |
T1053.005 | Scheduled Task/Job: Scheduled Task | Calypso creates a task in the system scheduler to dump the lsass.exe process through procdump.exe: c:\windows\system32\procdump.exe -accepteula -ma lsass.exe c:\windows\web\lsass.dmp. |
Defense Evasion | ||
T1027 | Obfuscated Files or Information | Calypso's main payload is obfuscated using an algorithm that uses CRC32 as PRNG. |
T1218.011 | Signed Binary Proxy Execution: Rundll32 | Calypso launches RATs via rundll32.exe |
T1564.001 | Hide Artifacts: Hidden Files and Directories | Calypso uses hidden folders to store malware |
Credential Access | ||
T1003 | Credential Dumping | Calypso uses Mimikatz and ProcDump to collect passwords. |
T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Calypso uses Mimikatz to generate a golden ticket. |
Discovery | ||
T1087.001 | Account Discovery: Local Account | Calypso uses the Net user command to detect users. |
T1046 | Network Service Scanning | Calypso uses the TCP Port scanner utility to scan the ports of hosts within the network |
T1135 | Network Share Discovery | Calypso uses the NBTScan utility to discover shared folders within the network. |
T1082 | System Information Discovery | Calypso collects information about the victim's computer. |
Lateral Movement | ||
T1550.003 | Use Alternate Authentication Material: Pass the Ticket | Calypso uses a Kerberos ticket to move within the network. |
Collection | ||
T1114.001 | Email Collection: Local Email Collection | Calypso collects mailboxes of company employees through the email server. |
T1113 | Screen Capture | FlyingDutchman (Calypso's RAT) can take screenshots of the infected computer. |
T1005 | Data from Local System | Calypso collects data from user folders. |
Command And Control | ||
T1024 | Encrypted Channel: Symmetric Cryptography | Calypso encrypts the data transmitted to the server using XOR and RC4. |