A cyber attack group – GroundPeony, targeting the Taiwanese government, was discovered in March 2023; it used several tactics, such as tampering with legitimate websites for distributing malware, URL obfuscation, and multi-stage loaders.
Further investigations revealed that a China-nexus attack group was responsible for this attack that used CVE-2022-30190 which was commonly known as Follina. However, the attack group has now been termed as “GroundPeony” by nao-sec.
GroundPeony or UNC3347 (Uncategorized Groups)
GroundPeony has been found to be active since 2021, which targeted government organizations in East and South Asia, especially Taiwan and Nepal.
The group has been exploiting Follina and is speculated to have access to a zero-day or is capable of developing one. Due to these reasons, GroundPeony is considered to be an APT group with high attack skills and motivation.
In addition to this, the malware used by GroundPeony was found to be existent in VirusTotal since 2021 and their oldest attack campaign dates back between April to June 2022 during which attacks against Nepal, India, and other countries took place.
The APT group starts by sending a spear-phishing email, which consists of a DOC file embedded with a URL for a ZIP file download. Once the ZIP file gets downloaded, it contains an EXE file and a DLL file which are executed to infect malware.
In addition, threat actors used discussions on maritime between Taiwan and the USA as the body of the email to make it more legitimate. However, the DOC file is attached along with this email with the name “Regarding bilateral consultations with the USA” and sent to the victims.
To further explain the DOC file, it consists of a context mentioning that there has been an error and a patch needs to be updated, which points towards the update (malicious ZIP file).
Proceeding to download the update results in the ZIP file download, which consists of the malware.
The URL was further investigated, which mimics Microsoft, but it was found to be a Cuttly (URL shortener and Link management platform).
This URL opens a Cuttly website and redirects to a Taiwanese Educational institution that has been compromised by these threat actors. This educational website consists of a ZIP, which was archived with the malware.
Once an EXE file (Install.exe or 系統安全補丁.exe) has been executed, it copies the 4 files in the $RECYCLE.BIN folder to the mic directory in the C:\Program Data folder. Also, these 4 files are then renamed as mic.exe, version.dll, mic.doc, and mic.ver.
The mic.exe file is a legitimate EXE file containing a digital signature, whereas the version.dll file is a DLL for side-loading and a shellcode launcher for mic.doc. The mic.doc file is a shellcode downloader, and mic.ver is a config file for micDown.
Furthermore, a complete report on the malware has been published by nao-sec, which provided complete information on the malware behavior, obfuscation, methodologies, and other information.
Indicators of Compromise