Governments and telecommunications organizations in Africa, the Middle East and Asia have emerged for the past two and a half years as targets of previously undocumented Chinese Alliance actors, known as the Phantom Taurus.
“The main areas of focus for the Phantom Taurus include foreign affairs, embassies, geopolitical events and ministries of military operations,” said Rior Rochberger, a researcher of Palo Alto Networks Unit 42. “The group’s main objective is espionage. The attacks demonstrate stealth, persistence and the ability to quickly adapt tactics, techniques and procedures (TTPS).”
It is worth pointing out that the Hacking Group was first detailed in June 2023 by a cybersecurity company based on Moniker CL-STA-0043. In May last year, the Threat Cluster graduated to the temporary group TGR-STA-0043, following a revelation about sustained cyberspy activities targeting government entities as part of the campaign’s codename operations diplomatic spectors since at least late 2022.
Unit 42 stated that the group’s continued observations provided sufficient evidence to enable long-term intelligence collections and categorize the main goal of obtaining sensitive data from targets of strategic interest to China both economically and geopolitical.
“The group is interested in diplomatic communications, defense-related information and the operation of key government ministries,” the company said. “The timing and scope of the group’s operations are often consistent with major global events and regional security issues.”
This aspect is particularly clear, especially as other Chinese hacking groups embrace similar approaches. For example, the new enemy, tracked by the future recorded as Rednovember, is rated as having target companies in Taiwan and Panama, close to “geopolitical and military events of major strategic interests towards China.”
Phantom Taurus’ Modus Operandi stands out because it uses custom development tools and techniques that are rarely observed in threat situations. This includes Netstars called bespoke malware suites you’ve never seen before. Developed with .NET, this program is designed to target Internet Information Services (IIS) web servers.
That said, the hacking crew relies on shared operations infrastructure previously adopted by groups such as AT27 (aka Iron Taurus), Apt41 (aka Sphchy Taurus or Winnti), and Mustang Panda (aka Stately Taurus). Conversely, the infrastructure components used by threat actors are not detected in operations carried out by others, indicating some kind of “operational compartmentalization” within the shared ecosystem.
The exact initial access vector is not clear, but previous intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like Proxylogon and ProxyShell to permeate the target network.
“So far, we’ve seen them exploit known vulnerabilities in IIS and Microsoft Exchange servers (such as Proxylogon and Proxyshell), but that doesn’t mean they won’t change in the future.” “This group is extremely resourceful and motivated. They’ll find a way in some way.”
Another important aspect of the attack is the shift from collecting emails to direct targeting of the database, using batch scripts that allow you to connect to a SQL Server database, export the results in the form of a CSV file, and terminate the connection. The script is run using the Windows Management Instrumentation (WMI) infrastructure.
Unit 42 said that threat actors will use this method to systematically search for documents and information of interest related to certain countries such as Afghanistan and Pakistan.
The recent attack installed by Phantom Taurus also utilizes netstars, consisting of three web-based backdoors, each performing certain functions while maintaining access to a compromised IIS environment –
Iiservercore is a useless modular backdoor loaded by an ASPX web shell that supports in-memory execution of command line arguments, arbitrary commands, and payload memory execution, sending the results to the encrypted Command and Control (C2) Communication Channel Assembly Excerpt V1. V1 is also equipped with the ability to bypass the anti-malware scan interface (AMSI) and Windows event trace (ETW).
“The Netstar malware suite demonstrates a deep understanding of Phantom Taurus’s advanced evasion technology and .NET architecture. “IISERVERCORE also supports a command called ChangElastModified, which suggests that malware has an active time stomp feature designed to confuse security analysts and digital forensic tools.”
Source link
