An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time.
"While this activity occurred around the same time and in some instances even simultaneously on the same victims' machines, each cluster is characterized by distinct tools, modus operandi, and infrastructure," Palo Alto Networks Unit 42 researchers Lior Rochberger, Tom Fakterman, and Robert Falcone said in an exhaustive three-part report.
The attacks, which targeted different governmental entities such as critical infrastructure, public healthcare institutions, public financial administrators and ministries, have been attributed with moderate confidence to three disparate clusters tracked as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium.
Mustang Panda Uses TONESHELL Variant and ShadowPad
"The attackers conducted a cyberespionage operation that focused on gathering intelligence as well as stealing sensitive documents and information, while maintaining a persistent and clandestine foothold," the researchers said, describing it as "highly-targeted and intelligence-driven."
The activity spanned from the second quarter of 2021 to the third quarter of 2023, leveraging an assortment of tools to conduct reconnaissance, steal credentials, maintain access, and conduct post-compromise actions.
Some of the notable software used to reach these goals comprise the LadonGo open-source scanning framework, AdFind, Mimikatz, Impacket, China Chopper web shells, Cobalt Strike, ShadowPad, and a new version of the TONESHELL backdoor.
The malware eschews the use of shellcode in favor of three DLL-based components to set up persistence on the endpoint, establish command-and-control communications with a remote server, and carry out information-gathering operations, including command execution, file system interaction, keylogging, and screen capture.
"During the operation, the threat actor slowly took control of the victims' environments, focusing on maintaining control for a long-term operation," the researchers noted. "The purpose of the threat actor's efforts appears to be the continuous gathering and exfiltration of sensitive documents and intelligence."
Alloy Taurus Aims to Fly Under the Radar
The intrusion set linked to Alloy Taurus is said to have commenced in early 2022 and continued throughout 2023, leveraging uncommon techniques and bypassing security products for long-term persistence and reconnaissance.
These attacks, occurring in six different waves, weaponize security flaws in Microsoft Exchange Servers to deploy web shells, which then serves as a conduit to deliver additional payloads, counting two previously unknown .NET backdoors Zapoa and ReShell to execute arbitrary commands remotely and harvest sensitive data.
Zapoa also incorporates features to extract system information, run shellcode, enumerate running processes, load more .NET assembly files to augment its capabilities, and timestamp files and artifacts with a supplied date, a technique called timestomping.
"The threat actor behind this cluster employed a mature approach, utilizing multiwave intrusions and exploiting vulnerabilities in Exchange Servers as their main penetration vector," the researchers said.
In some cases, Alloy Taurus has also been observed carrying out credential theft to facilitate lateral movement by abusing the remote administration tool AnyDesk already present in the infiltrated environment.
Some of the other software installed by the threat actor include Cobalt Strike, Quasar RAT, HDoor (a backdoor previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti, a multi-functional implant capable of granting remote control to an infected machine.
Gelsemium Singles Out Vulnerable IIS Servers
"This unique cluster had activity spanning over six months between 2022-2023," the researchers noted.
"It featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia."
The attack chains capitalize on vulnerable web servers to install web shells and distribute backdoors like OwlProxy and SessionManager, while simultaneously utilizing other tools such as Cobalt Strike, Meterpreter, Earthworm, and SpoolFool for post-exploitation, tunneling command-and-control traffic, and privilege escalation.
OwlProxy is an HTTP proxy with backdoor functionality that first came to light in April 2020. SessionManager, detailed by Kaspersky last July, is a custom backdoor designed to parse the Cookie field within inbound HTTP requests to extract the commands issued by the attacker.
"The threat actor received access through the use of several web shells, following the attempted installation of multiple types of proxy malware and an IIS backdoor," the researchers said. "As some of the threat actor's attempts to install malware were unsuccessful, they kept delivering new tools, showing their ability to adapt to the mitigation process."
