Security firms have foiled a complicated cyber espionage campaign administered by Chinese APT and aimed toward infiltrating a governmental institution and two companies.
Antivirus firms have uncovered and foiled a complicated cyber-espionage campaign aimed toward a governmental institution and two companies within the telecommunications and gas sector.
The level of sophistication of the attack and therefore the nature of targets suggests the involvement of a complicated persistent threat, likely from China, focused on cyber-espionage activity in Central Asia.
Attackers used multiple commodity malware and previously unknown backdoors within the attacks, the analysis of their code suggests a possible link with multiple campaigns uncovered over several years.
Most of the C2 employed by the attackers are hosted by the provider Choopa, LLC, and threat actors made large use of Gh0st RAT, a malware attributed to China-linked cyberespionage groups.
The security firm ESET and Avast first detected the attacks since September and January respectively. The researchers identified a number used as a repository containing hacking tools and backdoors, whose code has many similarities with malware previously related to China-linked APT groups.
“The samples we analyzed contain links to malware samples and campaigns, like Microcin, BYEBY, and harsh Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The backdoors we found are custom tools that haven’t previously been analyzed, as far as we all know .” reads a report published by Avast. “The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been employed by cybercriminals within the past.”
Below a timeline of the attacks that seemed to be related to an equivalent threat actor.
Avast APT Timeline_May-2020
“An APT group, which we believe could possibly be from China, planted backdoors to realize long-term access to corporate networks. supported our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.” continues Avast.
Researchers from ESET that investigated the attacks discovered three backdoors that collectively tracked as Mikroceen. The backdoors allowed the threat actors to manage the target filing system, establish a foreign shell, take screenshots, manage services and processes, and run console commands.
Below the list of backdoors published by ESET:
- sqllauncher.dll (VMProtected backdoor)
- logon.dll (VMProtected backdoor)
- logsupport.dll (VMProtected backdoor)
Both “sqllauncher.dll” and “logon.dll” run as services and use an equivalent C2 infrastructure, experts noticed that each one of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use an equivalent C2 server.
Attackers use a version of the Mimikatz post-exploitation tool and believe Windows Management Instrumentation (WMI) for lateral movement.
“Avast reported its findings to the local CERT team and reached bent the telecommunications company. we’ve not heard back from either organization
” concluded Avast.
“Avast has recently protected users in Central Asia from further attacks using the samples we analyzed.”
Both Avast and ESET have published an inventory of indicators of compromise (IoC) for the above threats.
source: security affairs