APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been identified as employing GitHub to conduct a sophisticated poison attack against Chinese cybersecurity professionals.

The ThreatBook Research and Response Team has meticulously analyzed this incident, which began its nefarious spread in mid-September 2024, resulting in a targeted assault on various Chinese industries.

Novel Attack Methodologies

The attackers ingeniously embedded a malicious .suo file within a Visual Studio project, triggering its execution upon compilation.

This approach marks a first for OceanLotus, showcasing their innovative use of development tools against cybersecurity experts.

The .suo file is typically loaded by Visual Studio when opening project files, facilitating the automatic execution of embedded malicious code, which is then deleted to avoid detection.

Targeting Strategy

Operating under the guise of a security researcher from a prominent Chinese FinTech company, the attacker created a GitHub account named 0xjiefeng in October 2024.

This account forked various security tool projects and released tools with backdoored Cobalt Strike plugins, baiting targets from the Chinese cybersecurity community with a deceptive narrative of enhancing security tools.

Indicators of Compromise (IOCs)

ThreatBook has identified key Indicators of Compromise (IOCs) for detection:

• GitHub Account: 0xjiefeng
• Malicious Files: TraceIndexer.exe and TTDReplay.dll in C:\Users\Public\TTDIndexerX64\
• Autostart Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TTDIndexerX64
• C2 Communication: The attack leverages the Notion API, with a specific page_id 11f5edabab708090b982d1fe423f2c0b.
• IP Addresses and Ports: Multiple C2 servers are used, including 190.211.254.203:4443, 45.41.204.18:8443, and others.

This incident has led to an extensive spread of the malicious code within China’s cybersecurity community.

Numerous blogs and platforms have inadvertently shared the backdoored projects, amplifying the attack’s reach.

The attacker took advantage of machine translations to craft Chinese descriptions and instructions, making the bait more enticing for the intended audience.

The attack not only exploited GitHub’s trust as a repository for open-source code but also manipulated the trust in popular development environments like Visual Studio.

By embedding malicious code within project settings, the attack leveraged the automatic loading mechanisms of these tools to initiate remote control capabilities and steal intelligence, aiming primarily at large technology enterprises and cybersecurity research groups in China.

This incident serves as a stark reminder of the evolving landscape of cyber threats where even tools designed for enhancement and protection can be weaponized by state-sponsored actors.

Cybersecurity professionals and organizations are urged to remain vigilant, updating their systems and tools, and integrating robust threat detection mechanisms like those provided by ThreatBook to thwart similar sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!