ChamelGang
Description
(Positive Technologies) In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company’s network had been compromised by an unknown group for the purpose of data theft. We gave the group the name ChamelGang (from the word ‘chameleon’), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The attackers employed two methods. They acquired domains that imitate legitimate ones. In addition, the APT group placed SSL certificates that also imitated legitimate ones on its servers. To achieve their goal, the attackers used a trending penetration method—supply chain. The group compromised a subsidiary and penetrated the target company’s network through it.
Names
| Name | Name-Giver |
|---|---|
| ChamelGang | Positive Technlogies |
| CamoFei | TeamT5 |
Country
Motivation
- Information theft and espionage
First Seen
2021
Observed Sectors
Observed Countries
Tools
Operations
- 2022: ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/
- 2023-06: ChamelGang and ChamelDoH: A DNS-over-HTTPS implant https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/
Information
Other Information
Uuid
832c145a-c7d3-43b4-9f9e-6998371616d7
Last Card Change
2024-08-26