A suspected China-based risk actor has been linked to a collection of cyber assaults concentrating on high-profile organizations in Southeast Asia since at the very least October 2023.
The espionage marketing campaign focused organizations in numerous sectors spanning authorities ministries in two totally different nations, an air site visitors management group, a telecoms firm, and a media outlet, the Symantec Risk Hunter Workforce stated in a brand new report shared with The Hacker Information.
The assaults, which leveraged instruments beforehand recognized as linked to China-based superior persistent risk (APT) teams, are characterised by way of each open-source and living-off-the-land (LotL) strategies.
This contains the usage of reverse proxy packages reminiscent of Rakshasa and Stowaway, in addition to asset discovery and identification instruments, keyloggers, and password stealers. Additionally deployed through the course of the assaults is PlugX (aka Korplug), a distant entry trojan put to make use of by a number of Chinese language hacking teams.
“The risk actors additionally set up personalized DLL recordsdata that act as authentication mechanism filters, permitting them to intercept login credentials,” Symantec wrote. The Broadcom-owned firm instructed The Hacker Information it couldn’t decide the preliminary an infection vector in any of the assaults.
In one of many assaults concentrating on an entity that lasted for 3 months between June and August 2024, the adversary performed reconnaissance and password dumping actions, whereas additionally putting in a keylogger and executing DLL payloads able to capturing consumer login info.
Symantec famous that the attackers managed to retain covert entry to compromised networks for prolonged durations of time, permitting them to reap passwords and map networks of curiosity. The gathered info was compressed into password-protected archives utilizing WinRAR after which uploaded to cloud storage companies reminiscent of File.io.
“This prolonged dwell time and calculated strategy underscore the sophistication and persistence of the risk actors,” the corporate stated. “The geographical location of focused organizations, in addition to the usage of instruments linked beforehand to China-based APT teams, means that this exercise is the work of China-based actors.”
It is price noting that the anomaly in attributing these assaults to a particular Chinese language risk actor underscores the issue of monitoring cyber espionage teams after they steadily share instruments and use comparable tradecrafts.
The geopolitical tensions in Southeast Asia over ongoing territorial disputes within the South China Sea have been complemented by a collection of cyber assaults concentrating on the area, as evidenced by risk exercise teams tracked as Unfading Sea Haze, Mustang Panda, CeranaKeeper, and Operation Crimson Palace.
The event comes a day after SentinelOne SentinelLabs and Tinexta Cyber disclosed assaults undertaken by a China-nexus cyber espionage group concentrating on massive business-to-business IT service suppliers in Southern Europe as a part of an exercise cluster dubbed Operation Digital Eye.
Final week, Symantec additionally revealed that an unnamed massive U.S. group was breached by doubtless Chinese language risk actors between April and August 2024, throughout which era they laterally moved throughout the community, compromising a number of computer systems and probably exfiltrating information.
