High-value organizations in South Asia, Southeast Asia, and East Asia have been targeted by Chinese threat actors as part of a long-running campaign.
This activity targets the aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors and has been attributed to a previously undocumented threat group known as CL-UNK-1068 by the Palo Alto Networks 42 division. Here, “CL” refers to “cluster” and “UNK” stands for unknown motive.
However, security vendors assess with “medium to high confidence” that the campaign’s primary purpose is cyber espionage.
“Our analysis revealed a multifaceted toolset including custom malware, modified open source utilities, and resident binaries (LOLBIN),” said security researcher Tom Factorman. “These provide a simple and effective way for attackers to maintain a persistent presence within a target environment.”
These tools are designed to target both Windows and Linux environments, and the attackers rely on a combination of open source utilities and malware families such as Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP), all of which are used by various hacking groups in China.
While Godzilla and ANTSWORD both function as web shells, Xnote is a Linux backdoor that has been detected in the wild since 2015 and has been deployed in attacks against online gambling sites by a hostile group known as Earth Berberoka (also known as GamblingPuppet).
A common attack chain involves exploiting a web server to deliver a web shell, move laterally to other hosts, and then attempt to steal files matching specific extensions (‘web.config’, ‘.aspx’, ‘.asmx’, ‘.asax’, ‘.dll’) from the Windows web server’s ‘c:\inetpub\wwwroot’ directory. This may be aimed at stealing credentials or discovering vulnerabilities.
Other files collected by CL-UNK-1068 include web browser history and bookmarks, XLSX and CSV files from the desktop and USER directories, and MS-SQL server database backup (.bak) files.
In an interesting development, attackers have been observed using WinRAR to archive related files, run the certutil -encode command to Base64 encode the archive, and then run the type command to output the Base64 content to the screen through a web shell.
“By encoding the archive as text and outputting it to the screen, the attacker was able to extract data without actually uploading the file,” Unit 42 said. “The attackers likely chose this method because the shell on the host allowed them to execute commands and view output, but not to transfer files directly.”
One of the techniques used in these attacks is to launch a DLL sideloading attack using legitimate Python executables (‘python.exe’ and ‘pythonw.exe’) to covertly execute malicious DLLs such as FRP for persistent access, PrintSpoofer, and a Go-based custom scanner named ScanPortPlus.
CL-UNK-1068 is said to have been conducting reconnaissance operations dating back to 2020 using a custom .NET tool named SuperDump. Recent intrusions have moved to new techniques that use batch scripts to gather host information and map the local environment.
Attackers also utilize a variety of tools to facilitate credential theft.
“Using primarily open source tools, community-shared malware, and batch scripts, the group was able to maintain stealth operations while infiltrating sensitive organizations,” Unit 42 concluded.
“This line of activity demonstrates versatility by operating in both Windows and Linux environments and using different versions of tool sets for each operating system. The focus on credential theft and exfiltration of sensitive data from critical infrastructure and government departments strongly suggests an espionage motive, but a cybercriminal intent cannot yet be completely ruled out.”
Source link
