Amaranth-Dragon is the latest identified cyber espionage group. Its complex strategies have raised alarms and connect it to the infamous cyber criminal collective APT41. Analysts have pointed to major operational and technical similarities between the two groups, indicating a shared resource pool and methodology. Amaranth-Dragon’s recent campaigns have taken aim at some of the most sensitive geopolitical hotspots. They use a command-and-control (C2) framework known as Havoc and take advantage of vulnerabilities in commonly used software.
Amaranth-Dragon has grown as a prominent danger owing to its malware toolkit, which parallels similarities to that of APT41. This relationship is extremely concerning, as it shows the capacity for cooperation or resource sharing between these cyber enemies. The coalition has cleverly positioned its efforts to capitalize on moments in the political calendar. This raises the likelihood that unsuspecting victims will engage with their nefarious material.
Technical Overlaps with APT41
Technical capabilities of Amaranth-Dragon closely mirror those found in APT41, especially in malware development and deployment techniques. Researchers first flagged the striking similarity between Amaranth-Dragon’s malware toolkit and APT41’s in July 2023. This substantive similarity would indicate a strong programmatic overlap between the two entities.
Historical iterations of Amaranth-Dragon’s malware campaigns featured ZIP file attachments. These files included Windows Shortcut (LNK) and Batch (BAT) files that would decrypt and run a loader named Amaranth Loader. This approach further shows the group’s use of tried and true techniques to achieve access to target systems.
“The embedded PowerShell logic recursively searches for the ZIP archive, reads it as raw bytes, and extracts a payload beginning at a fixed byte offset,” – Dream.
As the coalition grew, so did their tactics. With later campaigns, TGAmaranth RAT delivery moved to password-protected RAR archives hosted on Dropbox. This new development is a continuation of their constant evolution to avoid being caught while still being efficient in their operations.
Malware Functionality and C2 Infrastructure
The TGAmaranth RAT used by Amaranth-Dragon shows extensive capabilities to further operations in the realm of espionage. The malware is capable of executing over 50 different commands, providing attackers with the ability to fully control compromised machines.
For instance, when you type /start, it pulls up a list of active processes from the infected computer. That information is then relayed back to the command-and-control server. The same goes with the /screenshot command, which remotely captures and uploads screenshots from the user’s device. Other features, such as file- and upload download-anything-feature-that-let-a-malicious-actor-exfiltrate-certain-sensitive-information-with-easeago other malware.
“The carved data is written to disk using an obfuscated invocation of the WriteAllBytes method. The extracted data is treated as a TAR archive and unpacked using the native tar.exe utility, demonstrating consistent use of living-off-the-land binaries (LOLBins) throughout the infection chain,” – Dream.
Amaranth-Dragon’s C2 infrastructure is protected by Cloudflare, increasing the chances that the infrastructure will survive automated countermeasures. The foundation has created its infrastructure to only allow traffic from its inundated, targeted adversary countries. This even further complicates efforts to identify and track any harmful acts.
Targeting Tactics and Timing
Amaranth-Dragon tricks its victims into opening corrupted-looking files. make drift as U.S.-related foreign-relations executive overviews or plan statements. This tactic puts a huge emphasis on impersonation and building trust, which is what makes it so much easier to compromise targets.
“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” – Dream.
Just opening these fake files can immediately violate your system. This underscores the acute imperative of protecting space for civil society, advocacy, and dissent in diplomatic and governmental spheres. Almost all of Amaranth-Dragon’s campaigns have been Very Well Timed. They are timed to the most dramatic local political movements or major security events in the region, which amplifies their impact.
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” – Check Point Research.
By anchoring their malicious activities in contexts familiar to their targets, Amaranth-Dragon increases the likelihood of engagement with their content, thus improving the success rate of their attacks.