According to Bitdefender, a complex group of Persistent Advanced Threats (PATs), believed to be based in China, have been secretly attacking Southeast Asian governments for the past three years.
The intruder’s infrastructure still seems to be active, even though many Command and Control (C&C) servers are inactive.
The group was supposedly government-sponsored and used many families of malware, including Chinoxy Backdoor, PCShare RAT and FunnyDream Backdoor.
The fact that some of these open source tools are known to be of Chinese origin, as well as the use of other Chinese language sources, has led the researchers to conclude that the group behind these attacks consists of Chinese.
The attacks appear to have started in 2018, with activity increasing significantly in early 2019, when more than 200 systems were infected in five months. The abusers wanted to remain stable in victim networks for as long as possible.
There are indications that the attackers have compromised the domain controllers of the victim’s network, allowing them to move laterally and eventually take control of a large number of machines on that infrastructure, Bitdefender explains in its report.
To persevere, the enemy used digitally signed binary files, which were used to load one of the black passages sideways into memory. Data of interest are identified and filtered using user-defined tools.
In 2018, the group used the Chinoxy back door to determine persistence, after which the open source PcShare of the Chinese TAR was used. The ccf32 tool was used to collect files, and from 2019 the same tool (and other tools) was used to infect FunnyDream.
The command line tool used for data collection, ccf32, can be used to list all files on the hard disk or only in the specified destination folders. It also allows attackers to filter files by extension, collect interesting files in a hidden folder in the current location and then add these files to the archive sent to the attackers.
The FunnyDream backdoor is the most advanced malware used by the threat agent and is made available mainly as DLL to infected computers, but in some cases also as an executable file. Possibilities include information gathering and exfiltration, followed by cleaning, bypass detection and order processing.
The malware contains several components to perform actions such as file collection (Filepak and FilePakMonitor), screen recording (ScreenCap), Key Record, internal network access (TcpBridge) and network bypass (TcpTransfer).
The most complex and customizable component of the back door is Md_client, which is able to collect system information, create a remote shell, write folders, download files, execute commands and delete folders.
During the investigation, Bitdefender’s security researchers discovered that C&C addresses are hard-coded into malware binaries and that most of the cybercriminal infrastructure is located in Hong Kong, while there are only three servers elsewhere (Vietnam, China and South Korea).
That’s what it looks like: The Chinese ATF are using DLL in their attacks on Myanmar.
That’s what it looks like: Chinese hackers have targeted Europe and Tibetans with the malware from the Holy Sepulchre.
That’s what it looks like: A Chinese test actor uses a new version of MgBot during an attack on India in Hong Kong.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: