Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups targeting entities and member countries of the Association of Southeast Asian Nations (ASEAN).

This alarming development underscores the escalating cyber threats faced by nations in the Southeast Asian region, highlighting the intricate web of digital espionage activities that continue to challenge global cybersecurity norms.

Palo Alto Networks’ Unit 42 identified cyberespionage activities by two Chinese hacking groups targeting the region for the past 90 days.

The Attackers:

  • Stately Taurus (aka Mustang Panda): A known Chinese APT group active since at least 2012, targeting government entities, nonprofits, and NGOs globally.
  • Second Unidentified Chinese APT Group: Recently compromised an ASEAN-affiliated entity, with similar activity observed in other member states.

The activity of Stately Taurus:

Coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024), Stately Taurus created two malware packages likely targeting entities in Myanmar, the Philippines, Japan, and Singapore.

The report states that ASEAN-affiliated entities are particularly attractive targets for espionage operations due to their pivotal role in handling sensitive information related to diplomatic relations and economic decisions within the region.

Package 1: The Talking_Points_for_China.zip

          Talking_Points_for_China.zip          Talking_Points_for_China.zip
Talking_Points_for_China.zip
  • A ZIP archive containing a renamed, signed anti-keylogging program that sideloads malicious code.
  • Targets attempt to connect to a malicious server (103.27.109.157:433).
  • Similar to a campaign reported by CSIRT-CTI.

Package 2: Note PSO.scr:

  • A screensaver executable targeting Myanmar.
  • Downloads a benign executable (WindowsUpdate.exe) and a malicious DLL (EACore.dll).
  • Attempts to connect to a different C2 server ([invalid URL removed] at 146.70.149.36).

Second Activity: the unidentified Chinese APT Group

  • Unit 42 discovered compromised systems within an ASEAN-affiliated entity linked to the APT group’s command-and-control (C2) infrastructure.
  • This pattern of network connections has been observed in other government entities throughout the region.
  • The targeted infrastructure includes IP addresses and domains specifically used for C2 communication.
A pattern of life: working hours (+08:00 time adjusted).
  • Interestingly, the attackers seem to follow a “work schedule” with activity concentrated on weekdays in China Standard Time (UTC+08:00) and a noticeable pause during holidays like Lunar New Year.

Mitigation:

Palo Alto Networks recommends utilizing their various security solutions to help organizations defend against these threats, including:

  • DNS Security and Advanced URL Filtering
  • WildFire threat detection engine
  • Prisma Cloud Defender agents with WildFire integration

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Sneka

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

10 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

11 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

11 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

11 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

12 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

12 hours ago