Government organizations in Southeast Asia are targeting new campaigns aimed at collecting sensitive information using previously undocumented Windows backdoors.
This activity is tracked by Palo Alto Networks Unit 42, where “CL” represents “cluster” and “STA”, “CL” represents “motivation for state responsibility”, and “CL” represents “CL”.
“The threat actors behind this cluster of activity are collecting sensitive information from government agencies, including information on recent tariffs and trade disputes,” security researcher Rior Rochberger said in an analysis Monday.
Southeast Asia is becoming a cyberspy focus due to its role in sensitive trade negotiations, military modernization, and strategic alignment in US-China power dynamics. Targeting government agencies in this region can provide valuable information on foreign policy directions, infrastructure plans, and changes in internal regulations affecting regional and global markets.
The exact initial access vector used to deliver malware is currently unknown, but it indicates that the use of DLL sideload technology will be deployed to compromised hosts. Specifically, it includes planting a malicious version of the dll called “Mscorsvc.dll” and planting it with the legitimate Windows executable “mscorsvw.exe”.
Once the binary is launched, the DLL can establish communication with the attacker control URL and run any command to download additional payloads. Persistence is achieved by a service that ensures that the DLL is started even after a system restart.
It is worth noting that HagyBeacon utilizes Amazon Web Services (AWS) Lambda URLs for command and control (C2) purposes.
“The AWS Lambda URL is an AWS Lambda feature that allows users to call serverless functions directly via HTTPS,” explained Rochberger. “This technique uses legal cloud capabilities to clearly hide the gaze, creating reliable, scalable and difficult to detect communication channels.”
Defenders are *.lambda-url, especially when started by unusual binary or system services. *. You need to pay attention to outbound traffic to rarely used cloud endpoints like Amazonaws.com. While AWS usage itself is not questionable, context-conscious baselines can help distinguish between malware and legal activities that leverage cloud-native avoidance, such as the origins of correlation processes, parent-child execution chains, and endpoint behavior.
Downloaded from within the payload are file collector modules and time ranges responsible for harvesting files matching a particular set of extensions (doc, docx, xls, xlsx, and pdf). This includes attempts to search for files related to recent US-imposed tariff measures.
Threat actors are also known to employ other services such as Google Drive and Dropbox as their Exfiltration channels to send collected data in fusion with regular network traffic. The incident analyzed in Unit 42 reportedly blocked attempts to upload files to a cloud storage service.
In the final stage, the attacker runs a cleanup command to avoid leaving traces of activity, deleting all archives of staged files and other payloads that were downloaded during the attack.
“Threat actors used HagyBeacon as their primary tool to maintain their foothold and collect sensitive information from affected government agencies,” Rochberger said. “The campaign highlights that attackers continue to find new ways to exploit legal and trustworthy cloud services.”
HagyBeacon uses trusted platforms as secret channels and uses tactics called “living away from trustworthy services” (lot) to reflect a wider trend in advanced persistent threats. As part of this cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs, to avoid detection and promote persistent access.
Source link
