Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups targeting entities and member countries of the Association of Southeast Asian Nations (ASEAN).

This alarming development underscores the escalating cyber threats faced by nations in the Southeast Asian region, highlighting the intricate web of digital espionage activities that continue to challenge global cybersecurity norms.

Palo Alto Networks’ Unit 42 identified cyberespionage activities by two Chinese hacking groups targeting the region for the past 90 days.

The Attackers:

• Stately Taurus (aka Mustang Panda): A known Chinese APT group active since at least 2012, targeting government entities, nonprofits, and NGOs globally.
• Second Unidentified Chinese APT Group: Recently compromised an ASEAN-affiliated entity, with similar activity observed in other member states.

The activity of Stately Taurus:

Coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024), Stately Taurus created two malware packages likely targeting entities in Myanmar, the Philippines, Japan, and Singapore.

The report states that ASEAN-affiliated entities are particularly attractive targets for espionage operations due to their pivotal role in handling sensitive information related to diplomatic relations and economic decisions within the region.

Package 1: The Talking_Points_for_China.zip

• A ZIP archive containing a renamed, signed anti-keylogging program that sideloads malicious code.
• Targets attempt to connect to a malicious server (103.27.109.157:433).
• Similar to a campaign reported by CSIRT-CTI.

Package 2: Note PSO.scr:

• A screensaver executable targeting Myanmar.
• Downloads a benign executable (WindowsUpdate.exe) and a malicious DLL (EACore.dll).
• Attempts to connect to a different C2 server ([invalid URL removed] at 146.70.149.36).

Second Activity: the unidentified Chinese APT Group

• Unit 42 discovered compromised systems within an ASEAN-affiliated entity linked to the APT group’s command-and-control (C2) infrastructure. 
• This pattern of network connections has been observed in other government entities throughout the region. 
• The targeted infrastructure includes IP addresses and domains specifically used for C2 communication. 

• Interestingly, the attackers seem to follow a “work schedule” with activity concentrated on weekdays in China Standard Time (UTC+08:00) and a noticeable pause during holidays like Lunar New Year.

Mitigation:

Palo Alto Networks recommends utilizing their various security solutions to help organizations defend against these threats, including:

• DNS Security and Advanced URL Filtering
• WildFire threat detection engine
• Prisma Cloud Defender agents with WildFire integration

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter