Friday, April 12, 2024

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups targeting entities and member countries of the Association of Southeast Asian Nations (ASEAN).

This alarming development underscores the escalating cyber threats faced by nations in the Southeast Asian region, highlighting the intricate web of digital espionage activities that continue to challenge global cybersecurity norms.

Palo Alto Networks’ Unit 42 identified cyberespionage activities by two Chinese hacking groups targeting the region for the past 90 days.

The Attackers:

  • Stately Taurus (aka Mustang Panda): A known Chinese APT group active since at least 2012, targeting government entities, nonprofits, and NGOs globally.
  • Second Unidentified Chinese APT Group: Recently compromised an ASEAN-affiliated entity, with similar activity observed in other member states.

The activity of Stately Taurus:

Coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024), Stately Taurus created two malware packages likely targeting entities in Myanmar, the Philippines, Japan, and Singapore.

The report states that ASEAN-affiliated entities are particularly attractive targets for espionage operations due to their pivotal role in handling sensitive information related to diplomatic relations and economic decisions within the region.

Package 1: The Talking_Points_for_China.zip

          Talking_Points_for_China.zip
          Talking_Points_for_China.zip
  • A ZIP archive containing a renamed, signed anti-keylogging program that sideloads malicious code.
  • Targets attempt to connect to a malicious server (103.27.109.157:433).
  • Similar to a campaign reported by CSIRT-CTI.

Package 2: Note PSO.scr:

  • A screensaver executable targeting Myanmar.
  • Downloads a benign executable (WindowsUpdate.exe) and a malicious DLL (EACore.dll).
  • Attempts to connect to a different C2 server ([invalid URL removed] at 146.70.149.36).

Second Activity: the unidentified Chinese APT Group

  • Unit 42 discovered compromised systems within an ASEAN-affiliated entity linked to the APT group’s command-and-control (C2) infrastructure. 
  • This pattern of network connections has been observed in other government entities throughout the region. 
  • The targeted infrastructure includes IP addresses and domains specifically used for C2 communication. 
A pattern of life: working hours (+08:00 time adjusted).
A pattern of life: working hours (+08:00 time adjusted).
  • Interestingly, the attackers seem to follow a “work schedule” with activity concentrated on weekdays in China Standard Time (UTC+08:00) and a noticeable pause during holidays like Lunar New Year.

Mitigation:

Palo Alto Networks recommends utilizing their various security solutions to help organizations defend against these threats, including:

  • DNS Security and Advanced URL Filtering
  • WildFire threat detection engine
  • Prisma Cloud Defender agents with WildFire integration

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Website

Latest articles

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...

Taxi App Vendor Data Leak: 300K Passengers Data Exposed

Around 300,000 taxi passengers' personal information was left exposed on the internet, causing concern...

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles