Two Chinese APT groups step up cyber espionage activities against ASEAN countries

Chinese APT group

Two China-linked advanced persistent threat (APT) groups have been observed targeting Association of Southeast Asian Nations (ASEAN) affiliated entities and member states in cyber espionage campaigns over the past three months.

These include a threat actor called Mustang Panda, which has recently been linked to cyberattacks targeting Myanmar and other Asian countries that used a variant of the PlugX (also known as Korplug) backdoor called DOPLUGS.

Mustang Panda (also known as Camaro Dragon, Earth Preta, and Stately Taurus) is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore, sending phishing emails designed to deliver two malware packages.

Palo Alto Networks Unit 42 said in a report shared with The Hacker News: “Threat actors targeted the ASEAN-Australia Special Summit on March 4-5, 2024 (March 4-6, 2024). Malware was created for these packages.”

One of the malware packages is a ZIP file that contains an executable file (“Talking_Points_for_China.exe”), which upon startup loads a DLL file (“KeyScramblerIE.dll”) and ultimately deploys a program called PUBLOAD The known Mustang Panda malware is a type of malware called PUBLOAD. Downloader previously used to remove PlugX.

It’s worth pointing out here that the binary is a renamed copy of a legitimate piece of software called KeyScrambler.exe, which is susceptible to DLL sideloading.

The second software package, on the other hand, is a screensaver executable (“Note PSO.scr”) that retrieves next-stage malicious code from a remote IP address, including one signed by a video game company The benign program was renamed WindowsUpdate. exe and a malicious DLL launched using the same technique as before.

Internet security

“The malware then attempts to establish a connection to www[.]Open server name[.]com 146.70.149[.]36 for command and control (C2),” the researchers said.

Unit 42 said it also detected network traffic between ASEAN-affiliated entities and the C2 infrastructure of a second Chinese APT group, indicating a compromise of the victim’s environment. This unnamed threat activity group has been attributed to similar attacks targeting Cambodia.

“These types of activities continue to demonstrate how organizations are being targeted for cyber espionage purposes, with nation-state affiliated threat groups gathering intelligence on geopolitical interests within the region,” the researchers said.

Earth Krahang appears in the wild

A week ago, Trend Micro revealed a new Chinese threat actor called Earth Krahang that exploits spear phishing and flaws in public-facing Openfire and Oracle servers to deliver custom malware such as PlugX. Targeted 116 entities in 35 countries, ShadowPad, ReShell and DinodasRAT (also known as XDealer).

The earliest attacks date back to early 2022, with attackers using a combination of methods to scan for sensitive data.

cyber espionage

Earth Krahang is focused on Southeast Asia and also has some overlap with another tracked China-linked threat group, Earth Lusca (aka RedHotel). Both intrusions are likely managed by the same threat actor and associated with a Chinese government contractor called I-Soon.

“One of the favorite tactics of threat actors is to use their malicious access to government infrastructure to attack other government entities, abuse the infrastructure to host malicious payloads, proxy attack traffic, and use compromised government email accounts to Relevant targets are sent spear phishing emails,” the company said.

“Earth Krahang also uses other tactics, such as setting up a VPN server on a compromised public-facing server to establish access to the victim’s private network and performing a brute force attack to obtain email credentials. These credentials are then used to Exfiltrate victim’s emails.”

I-Soon leaks and shady hacker-for-hire scene

Last month, a set of documents leaked on GitHub by I-Soon (aka Anxun) revealed how the company sold various stealth programs and remote access programs such as ShadowPad and Winnti (aka TreadStone) to multiple Chinese government entities Trojan horse. This also includes an integrated operating platform designed to conduct offensive network activities and an undocumented Linux implant code-named Hector.

“The integrated operations platform covers internal and external applications and networks,” Bishop Fox said. “Internal applications are primarily used for task and resource management. External applications are designed to perform network operations.”

This unknown hacker-for-hire entity was also involved in the 2019 POISON CARP campaign targeting Tibetan groups and the 2022 Comm100 hack, in addition to targeting foreign governments and domestic ethnic minorities to obtain valuable information, some of which Information is provided via the Internet. They grew independently, hoping to gain government clients.

“This data breach provides us with rare insights into how the Chinese government outsources parts of its network operations to private third-party companies, and how these companies work with each other to meet these needs,” ReliaQuest noted.

Internet security

Cybersecurity firm Recorded Future said in its own analysis that the leak revealed “operations between the company and three different Chinese state-backed cyber groups: RedAlpha (also known as Deepcliff), RedHotel and POISON CARP” and organizational relationships.”

“It provides supporting evidence regarding the existence of long-suspected ‘digital quartermasters’ that provide capabilities to multiple Chinese government-backed groups.”

It also said that overlap indicates the presence of multiple sub-teams within the same company that focus on specific tasks. I-Soon’s victims are spread across at least 22 countries, with government, telecommunications and education being the most targeted sectors.

Additionally, publicly available documents confirm that the Tianfu Cup—China’s own Pwn2Own hacking competition—serves as the government’s “vulnerability supply system,” allowing it to store zero-day vulnerabilities and engineer exploitable code.

“While Tianfu Cup submissions have not yet fully exploited the chain, the Department of Public Safety will distribute proof-of-concept vulnerabilities to private companies to further exploit these proof-of-concept capabilities,” Margin Research said.

“China’s vulnerability disclosure requirements are part of the puzzle of how China stores and weaponizes vulnerabilities, which laid the foundation for the secret collection provided by the Tianfu Cup in previous years.”

The source of the leak is unclear at this time, but two I-Soon employees told The Associated Press that it is cooperating with law enforcement in the investigation. The company’s website is now offline.

SentinelOne’s Dakota Cary and Aleksandar Milenkoski said: “This leak provides some of the most concrete details yet made public about the nature of China’s cyber espionage ecosystem. mature nature.” “It clearly demonstrates how the government’s goal requirements are driving competition in the independent contractor hacker employment market.”

Did you find this article interesting?follow us Twitter and LinkedIn to read more exclusive content from us.



Source link



from Tech Empire Solutions https://techempiresolutions.com/two-chinese-apt-groups-step-up-cyber-espionage-activities-against-asean-countries/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/03/two-chinese-apt-groups-step-up-cyber.html
via https://techempiresolutions.com/

Comments

Post a Comment

Popular posts from this blog

Perfecta grill uses AI to help cook steaks in 90 seconds

Image
CES is increasingly becoming a barbecue show, and companies are constantly looking for ways to bring more technology to your deck or patio. One company adding artificial intelligence technology to its spice racks is Seergerills, a British startup made up of engineers and product developers. Its flagship model, the Perfecta, can cook a one-inch-thick rib-eye steak in 90 seconds. Overall, the company says the grill looks more like a see-through countertop oven and cooks food about 10 times faster than traditional cooking methods. Inside, dual vertical infrared burners cook both sides simultaneously, which not only speeds up the process but also eliminates the need for flipping. Seergerills says the burner has a maximum temperature of 1,652 degrees Fahrenheit, and the unit even ensures crisp edges thanks to 360-degree heating. The built-in artificial intelligence chef calculates the appropriate cooking time and temperature based on the food, taking into account the desired degree of done
Read more

John Wick heads to Vegas to visit interactive attractions

Image
image: Lionsgate If you’ve ever wanted to fully immerse yourself in John Wick , Lionsgate has got you covered. Later this year, action series is becoming “immersive and interactive” tourist attractions In Las Vegas. Grace Byers on horror and comedy in ‘The Dark’ According to the press release, John Wick Experience Produced in collaboration with series director Chad Stahelski and his production company 87Eleven. The 12,000-square-foot exhibit at the city’s AREA15 campus lets visitors “experience high-stakes adventures and visit themed bars and retail stores open to the public.” Guests will be given specific tasks involving characters and images from the film. They’ll also rub shoulders with Continental employees, crime bosses, and other assassins who (presumably) don’t come into contact with Wick’s bad side at any point in the movie, all in an effort to gain access to private Continental areas and learn about the interesting secret. Jenefer Brown, exec
Read more

Ford prepares for next war, Waymo recalls its self-driving car software, another self-driving startup lays off employees

Image
TechCrunch Mobility is a weekly newsletter dedicated to all things transportation. Sign up here – just click TechCrunch Mobility – and get the newsletter in your inbox every weekend. Subscription is free. welcome back TechCrunch Mobile — A central hub for news and insights about the future of transportation.This week’s news includes BMW Security breach exposes sensitive information, federal agencies fight back against Tesla super bowl ad and a new federal investigation Fisker . But first, I want to talk about my recent visit to the law, where I met some people Ford Executives understand their priorities for 2024 and beyond. It can be said with certainty Chinese electric vehicle manufacturer and Tesla is the most important; in the view of Ford executives, low-cost electric vehicles and cutting-edge software are the best ways to stop these threats. The company’s recently revealed Skunk Works project for electric vehicles is tasked with this task. Ford Chief Financial Officer J
Read more