A sophisticated advanced persistent threat (APT) group believed to be operating out of China has been stealthily targeting Southeast Asian governments over the past three years, Bitdefender reports.
The attacker’s infrastructure appears to be active even today, despite many of the command and control (C&C) servers being inactive.
Believed to be state-sponsored, the group was observed using numerous malware families, including the Chinoxy backdoor, PCShare RAT, and the FunnyDream backdoor.
The fact that some of these open-source tools are known to be of Chinese origin and the use of other resources in Chinese led the researchers to the conclusion that the group behind these attacks consists of Chinese speakers.
The attacks appear to have started in 2018, with the activity increasing significantly in early 2019, when more than 200 systems were infected within five months. The attackers strived to maintain persistence within the victim networks for as long as possible.
“Some evidence suggests threat actors may have managed to compromise domain controllers from the victim’s network, allowing them to move laterally and potentially gain control over a large number of machines from that infrastructure,” Bitdefender explains in a report.
For persistence, the adversary employed digitally signed binaries that are leveraged to side-load one of the backdoors into memory. Data of interest is identified and exfiltrated using custom tools.
In 2018, the group was using the Chinoxy backdoor to establish persistence, with the open-source Chinese RAT PcShare being deployed afterwards. A tool called ccf32 was being used for file collecti ..
Support the originator by clicking the read the rest link below.
