New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks
threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan on infected systems, according to new research.
Stack Overflow Teams
The group is a «China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages,» according to FireEye.
Positive Technologies, in a write-up published Tuesday, revealed a new malware dropper that was used to facilitate the attacks, including the retrieval of next-stage encrypted payloads from a remote command-and-control server, which are subsequently decoded to execute the backdoor.
Also worthy of particular note is the malware’s similarities to that of a trojan named DropboxAES RAT that was put to use by the same threat group last year and relied on Dropbox for its command-and-control communications, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and the mechanism employed to delete the espionage tool.
Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus
An amalgam of multiple state-sponsored threat groups from China may have been behind a string of targeted attacks against Russian federal executive authorities in 2020.
Stack Overflow Teams
«Chinese APTs are one of the most numerous and aggressive hacker communities,» researchers Anastasia Tikhonova and Dmitry Kupin said. «Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible».
The report builds on a number of public disclosures in May from Solar JSOC and SentinelOne, both of which disclosed a malware called «Mail-O» that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne tying it to a variant of another well-known malicious software called «PhantomNet» or «SManager» used by a threat actor dubbed TA428.
Prevent Ransomware Attacks
What’s more, further investigation into TA428’s toolset has revealed numerous commonalities between BlueTraveller and a nascent malware strain named «Albaniiutas» that was attributed to the threat actor in December 2020, implying that not only is Albaniiutas an updated variant of BlueTraveller, but also that Webdav-O malware is a version of BlueTraveller.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT