A suspected China-based menace actor has been linked to a sequence of cyber assaults concentrating on high-profile organizations in Southeast Asia since not less than October 2023.
The espionage marketing campaign focused organizations in varied sectors spanning authorities ministries in two completely different nations, an air visitors management group, a telecoms firm, and a media outlet, the Symantec Menace Hunter Staff mentioned in a brand new report shared with The Hacker Information.
The assaults, which leveraged instruments beforehand recognized as linked to China-based superior persistent menace (APT) teams, are characterised by way of each open-source and living-off-the-land (LotL) strategies.
This contains using reverse proxy applications similar to Rakshasa and Stowaway, in addition to asset discovery and identification instruments, keyloggers, and password stealers. Additionally deployed in the course of the course of the assaults is PlugX (aka Korplug), a distant entry trojan put to make use of by a number of Chinese language hacking teams.
“The threat actors also install customized DLL files that act as authentication mechanism filters, allowing them to intercept login credentials,” Symantec wrote. The Broadcom-owned firm advised The Hacker Information it couldn’t decide the preliminary an infection vector in any of the assaults.
In one of many assaults concentrating on an entity that lasted for 3 months between June and August 2024, the adversary performed reconnaissance and password dumping actions, whereas additionally putting in a keylogger and executing DLL payloads able to capturing consumer login data.
Symantec famous that the attackers managed to retain covert entry to compromised networks for prolonged intervals of time, permitting them to reap passwords and map networks of curiosity. The gathered data was compressed into password-protected archives utilizing WinRAR after which uploaded to cloud storage providers similar to File.io.
“This extended dwell time and calculated approach underscore the sophistication and persistence of the threat actors,” the corporate mentioned. “The geographical location of targeted organizations, as well as the use of tools linked previously to China-based APT groups, suggests that this activity is the work of China-based actors.”
It is price noting that the paradox in attributing these assaults to a selected Chinese language menace actor underscores the issue of monitoring cyber espionage teams after they often share instruments and use comparable tradecrafts.
The geopolitical tensions in Southeast Asia over ongoing territorial disputes within the South China Sea have been complemented by a sequence of cyber assaults concentrating on the area, as evidenced by menace exercise teams tracked as Unfading Sea Haze, Mustang Panda, CeranaKeeper, and Operation Crimson Palace.
The event comes a day after SentinelOne SentinelLabs and Tinexta Cyber disclosed assaults undertaken by a China-nexus cyber espionage group concentrating on massive business-to-business IT service suppliers in Southern Europe as a part of an exercise cluster dubbed Operation Digital Eye.
Final week, Symantec additionally revealed that an unnamed massive U.S. group was breached by probably Chinese language menace actors between April and August 2024, throughout which period they laterally moved throughout the community, compromising a number of computer systems and probably exfiltrating information.