Cybersecurity company Sentinelone has revealed that a China-Nexus threat cluster called Purplehaze has carried out reconnaissance attempts on infrastructure and its valuable customers.
“We first recognized this threat cluster during a 2024 intrusion against an organization that provided hardware logistics services to Sentinelone employees,” security researchers Tom Hegel, Alexander Milenkoski and Jim Walter said in an analysis published Monday.
Purple Has is rated as a hacking crew with loose connections to other state-sponsored groups known as APT15, also tracked as the chisel, Nylon Age Rock (formerly Nickel), playful Taurus, Royal At, and Vixen Panda.
It has also been observed that the hostile group targeted an unnamed South Asian government support group in October 2024, employing an operational relay box (ORB) network and a Windows backdoor called Goreshell.
The implants listed in the GO programming language reuse an open source tool called Reverse_SSH to set up a reverse SSH connection on the endpoint under attacker’s control.
“Using ORB networks is a growing trend among these threat groups, because they can rapidly expand and create dynamic and evolving infrastructures, making the operation of cyberepions and their attributions challenging,” the researchers noted.
Further analysis determined that the same South Asian government entity had previously been targeted in June 2024 with Shadowpad (aka Poisonplug), a well-known backdoor shared widely between China and news spying groups. ShadowPad is considered to be the successor to another backdoor called Plugx.
That said, ShadowPad has also been used as a conduit for providing ransomware in recent months, so the exact motivation behind the attack remains unknown. We found that the Shadowpad artifacts are obfuscated using a custom compiler called Scatterbrain.
The exact nature of the overlap between the June 2024 activity and subsequent purple goby attacks remains unknown. However, it is believed that the same threat actors could be behind them.
Shadowpads blended into Scatterbrain are estimated to have been employed for intrusions targeting more than 70 organizations across manufacturing, government, finance, communications and research sectors, after being likely to exploit the N-Day vulnerability of checkpoint gateway devices.
One of the victims of these attacks included an organization that was subsequently responsible for managing hardware logistics for Sentineln employees. However, the cybersecurity company noted that no evidence of a secondary compromise was found.
Sentinelone said it wasn’t just China, and it observed attempts made by IT workers alongside North Korea to secure employment in companies including Sentinellabs Intelligence Engineering Team, via around 360 fake personas and over 1,000 job applications.
Lastly, ransomware operators are targeting Sentineln and other enterprise-centric security platforms, and are trying to access tools to assess the software’s ability to avoid detection.
This is driven by a lively underground economy that revolves around buying and selling and renting access to such enterprise security offerings in forums such as messaging apps and XSS.[.]is an exploit[.]Inn and lamp.
“All services are emerging around this ecosystem, including “services as EDR tests,” allowing actors to carefully evaluate malware against a variety of endpoint protection platforms,” the researchers explained.
“These test services cannot grant direct access to a full-featured EDR console or agents, but provide attackers with a semi-private environment for tweaking malicious payloads without exposure threats. They dramatically improve the likelihood of success in real attacks.”
One ransomware group that takes this threat to a whole new level is Nitrogen, which is believed to be run by the Russian people. Unlike the typical approach of approaching insiders and using legitimate credentials harvested from Infostealer logs, Nitrogen impersonates a real company and employs a different strategy.
This is achieved by setting up a visual domain, spoofed email addresses, and clone infrastructure that mimics legitimate businesses, allowing threat actors to purchase official licenses for EDR and other security products.
“This kind of social engineering is done accurately,” the researcher said. “Nitrogen usually targets small, neglected resellers. It minimizes interactions and relies on the inconsistent KYC (knowing the customer) practices of resellers to slip through the cracks.”
Source link
