Friday, December 6, 2024
HomeCyber AttackChinese Hackers Attacking Southeast Asian Nations With Malware Packages

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Published on

SIEM as a Service

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups targeting entities and member countries of the Association of Southeast Asian Nations (ASEAN).

This alarming development underscores the escalating cyber threats faced by nations in the Southeast Asian region, highlighting the intricate web of digital espionage activities that continue to challenge global cybersecurity norms.

Palo Alto Networks’ Unit 42 identified cyberespionage activities by two Chinese hacking groups targeting the region for the past 90 days.

- Advertisement - SIEM as a Service

The Attackers:

  • Stately Taurus (aka Mustang Panda): A known Chinese APT group active since at least 2012, targeting government entities, nonprofits, and NGOs globally.
  • Second Unidentified Chinese APT Group: Recently compromised an ASEAN-affiliated entity, with similar activity observed in other member states.

The activity of Stately Taurus:

Coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024), Stately Taurus created two malware packages likely targeting entities in Myanmar, the Philippines, Japan, and Singapore.

The report states that ASEAN-affiliated entities are particularly attractive targets for espionage operations due to their pivotal role in handling sensitive information related to diplomatic relations and economic decisions within the region.

Package 1: The Talking_Points_for_China.zip

          Talking_Points_for_China.zip
          Talking_Points_for_China.zip
  • A ZIP archive containing a renamed, signed anti-keylogging program that sideloads malicious code.
  • Targets attempt to connect to a malicious server (103.27.109.157:433).
  • Similar to a campaign reported by CSIRT-CTI.

Package 2: Note PSO.scr:

  • A screensaver executable targeting Myanmar.
  • Downloads a benign executable (WindowsUpdate.exe) and a malicious DLL (EACore.dll).
  • Attempts to connect to a different C2 server ([invalid URL removed] at 146.70.149.36).

Second Activity: the unidentified Chinese APT Group

  • Unit 42 discovered compromised systems within an ASEAN-affiliated entity linked to the APT group’s command-and-control (C2) infrastructure. 
  • This pattern of network connections has been observed in other government entities throughout the region. 
  • The targeted infrastructure includes IP addresses and domains specifically used for C2 communication. 
A pattern of life: working hours (+08:00 time adjusted).
A pattern of life: working hours (+08:00 time adjusted).
  • Interestingly, the attackers seem to follow a “work schedule” with activity concentrated on weekdays in China Standard Time (UTC+08:00) and a noticeable pause during holidays like Lunar New Year.

Mitigation:

Palo Alto Networks recommends utilizing their various security solutions to help organizations defend against these threats, including:

  • DNS Security and Advanced URL Filtering
  • WildFire threat detection engine
  • Prisma Cloud Defender agents with WildFire integration

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...