Uzbekistan's SandCat APT exposed itself by testing malware against commercial anti-virus software

SandCat developed malware on PCs running antivirus software - which transmitted binaries of dodgy files back to Kaspersky researchers

Researchers at cyber security firm Kaspersky have uncovered a new hacking operation, which they believe is linked to Uzbekistan's National Security Service (NSS).

The unmasking of the threat group, which Kaspersky calls 'SandCat', was not difficult as the hackers appear to have set-up a PC running a number of anti-virus software packages, connected to the internet, against which they tested their exploits and malware.

Uzbekistan's NSS regularly targets human rights and other civil rights groups, both within the country and outside.

Kaspersky was one of the anti-virus packages running on the test PC, which identified the potentially malicious apps and transmitted binaries of these files back to Kaspersky for analysis.

The activities of SandCat were tracked for the first time in October 2018, following the discovery of an infected system somewhere in the Middle East. According to the researchers, the system was infected with Chainshot - a malware downloader earlier used by threat groups based in the United Arab Emirates and Saudi Arabia.

When researchers analysed the Chainshot Trojan and its infrastructure, they discovered three zero-day exploits used by the hacking group. After analysing those exploits, the researchers concluded that some new hacking group was behind them.

Brian Bartholomew, a researcher at Kaspersky, says the group was "burning through" their exploits at speed, as each time the researchers found and patched a zero-day, the hackers would come up with another one, suggesting that they had "tons of money".

According to Kaspersky researchers, the NSS purchased zero-day exploits from two Israeli firms - Candiru and NSO Group. NSO Group has, in the past, been accused of selling spying tools to government agencies targeting journalists and dissidents. Candiru, which does not maintain a web presence and prefers to keep a low profile, specialises in developing Windows security flaws. However, more recently it is believed to have branched out into Apple's MacOS and iOS operating systems.

The researchers observed that each time the Uzbek NSS received a new exploit from its supplier, someone in the team transferred it to a system running Kaspersky's antivirus software. The antivirus application then uploaded the malicious-looking code to Kaspersky's server for evaluation.

According to Vice, the researchers were also surprised to see the group using the name of a military group linked with NSS to register a domain, which was later used as part of the attack infrastructure.

The file directories and other data used by hackers were also viewed by the researchers after hackers (mistakenly) uploaded a screenshot of their system in a Word document.

Bartholomew said SandCat will improve its operational security measures after knowing that their mistakes have been publically and humiliatingly exposed. Candiru and NSO, meanwhile, will need to uncover more zero-day security flaws in Windows and other platforms. "Sloppy customers are bad customers," Bartholomew said.

However, exposing the mistakes will also encourage other researchers to track the activities of SandCat, thereby improving protection for SandCat's future targets.

Bartholomew presented the findings of Kaspersky's SandCat investigation yesterday at the Virus Bulletin security conference in London.