Authored by: Parthiban Rajendran and Gage MeleInformation cutoff date: 6/19/2020
Overview
Anomali Threat Research has identified malicious activity targeting entities based in Myanmar (Burma) that appears to have begun in March 2020; this is based on file names and payload compilation times. An unidentified Advanced Persistent Threat (APT), very likely China-based, is distributing Windows Shortcut (LNK) files that are being renamed and distributed to multiple targets, likely via spearphishing. Anomali Threat Research found these LNK files located inside multiple, uniquely-named RAR, TGZ, and ZIP files. The RAR and ZIP files are hosted on Google Drive, this is very likely a tactic to avoid antivirus detection. The group uses the PowerShell-based, Red Teaming tool Octopus for Command and Control (C2) communication.
In addition, Anomali Threat Research found that the LNK file closely resembles the one used by the China-based APT, Mustang Panda. Anomali Threat Research does not believe that this group is responsible for this activity. This similarity may potentially indicate a sharing of tools, which is common amongst some state-sponsored groups, or perhaps a similar tool that is used to target specific geographic regions. At the time of this writing, Anomali Threat Research cannot attribute this APT activity to any specific group. The renamed LNK files are shown in Table 1 below.
Targeting
China-sponsored APT groups are known to target countries in which the government of the People’s Republic of China is investing in, as part of its Belt and Road Initiative. This has also been observed by Anomali Threat Research analysis of the China-based APT, Mustang Panda. China and Myanmar (Burma) have had multiple instances of economic activity and agreements in 2020, as of this writing, and the tw ..
Support the originator by clicking the read the rest link below.
