Wednesday, January 26, 2022

Who is "DESKTOP-Group"?

Update 2023-07-05: Suspected key figure of notorious cybercrime group arrested in joint operation. Operation Nervone has dealt a significant blow to the OPERA1ER group.

INTERPOL announcement about Operation Nervone


Update 2022-11-06: A few days ago Group-IB released the report "OPERA1ER - Playing God without permission" (blog, report PDF, webinar), linking different aliases to "DESKTOP-Group":

  • Group-IB: OPERA1ER
  • Orange-CERT-CC: NXSMS
  • SWIFT: Common Raven
  • Symantec: Bluebottle
  • Mandiant: UNC4044  (not in the report)

--

This is just a preliminary post about my research of a threat actor (TA) or group (TG) that we have named "DESKTOP-Group". Other companies (Orange-CERT, Group-IB, SWIFT) have other names for this TA, but they are not yet publicly known or linked yet. (I will update this post, as soon as more becomes public)

We started tracking this TA's activity in early 2018, while analyzing the first malware laden attack mails during February 2018. For the next three years, we saw and analyzed 170 distinct attack mails (campaigns) from this TA, but during 2021 it became harder to link malware mails back to them with high confidence.

The first public presentation "DESKTOP-Group – Tracking a Persistent Threat Group (using Email Headers)" was at BotConf 2019. Slides (PDF) are available from my Github repo.

In 2020, I also presented about this TA at ReversingLabs #Reversing2020 online conference. A video (starts around 14:30m) and PDF slides are also available.

In 2019, I started sharing on Twitter about this TA, later starting to use the hashtag #DESKTOPgroup.


There is also a closed Google-group for research collaboration, mostly with people tracking or having access to emails or logs, related this TA's activity.

Malware samples and URLs have been shared and tagged on Abuse.ch Malware Bazaar or URLhaus.