A suspected China-based menace actor has been linked to a collection of cyber assaults focusing on high-profile organizations in Southeast Asia since at the very least October 2023.
The espionage marketing campaign focused organizations in numerous sectors spanning authorities ministries in two totally different nations, an air visitors management group, a telecoms firm, and a media outlet, the Symantec Menace Hunter Workforce mentioned in a brand new report shared with The Hacker Information.
The assaults, which leveraged instruments beforehand recognized as linked to China-based superior persistent menace (APT) teams, are characterised by way of each open-source and living-off-the-land (LotL) methods.
This contains using reverse proxy applications resembling Rakshasa and Stowaway, in addition to asset discovery and identification instruments, keyloggers, and password stealers. Additionally deployed throughout the course of the assaults is PlugX (aka Korplug), a distant entry trojan put to make use of by a number of Chinese language hacking teams.
“The menace actors additionally set up custom-made DLL information that act as authentication mechanism filters, permitting them to intercept login credentials,” Symantec wrote. The Broadcom-owned firm instructed The Hacker Information it couldn’t decide the preliminary an infection vector in any of the assaults.
In one of many assaults focusing on an entity that lasted for 3 months between June and August 2024, the adversary performed reconnaissance and password dumping actions, whereas additionally putting in a keylogger and executing DLL payloads able to capturing person login data.
Symantec famous that the attackers managed to retain covert entry to compromised networks for prolonged intervals of time, permitting them to reap passwords and map networks of curiosity. The gathered data was compressed into password-protected archives utilizing WinRAR after which uploaded to cloud storage providers resembling File.io.
“This prolonged dwell time and calculated method underscore the sophistication and persistence of the menace actors,” the corporate mentioned. “The geographical location of focused organizations, in addition to using instruments linked beforehand to China-based APT teams, means that this exercise is the work of China-based actors.”
It is value noting that the anomaly in attributing these assaults to a particular Chinese language menace actor underscores the problem of monitoring cyber espionage teams once they often share instruments and use comparable tradecrafts.
The geopolitical tensions in Southeast Asia over ongoing territorial disputes within the South China Sea have been complemented by a collection of cyber assaults focusing on the area, as evidenced by menace exercise teams tracked as Unfading Sea Haze, Mustang Panda, CeranaKeeper, and Operation Crimson Palace.
The event comes a day after SentinelOne SentinelLabs and Tinexta Cyber disclosed assaults undertaken by a China-nexus cyber espionage group focusing on massive business-to-business IT service suppliers in Southern Europe as a part of an exercise cluster dubbed Operation Digital Eye.
Final week, Symantec additionally revealed that an unnamed massive U.S. group was breached by seemingly Chinese language menace actors between April and August 2024, throughout which period they laterally moved throughout the community, compromising a number of computer systems and probably exfiltrating knowledge.