THREAT CAMPAIGN: UNMASKING CYBER ESPIONAGE EFFORTS TARGETING SOUTHEAST ASIA ℹ️ Threat actors using tools linked to China-based APT groups have targeted multiple high-profile organizations in Southeast Asia, including government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet. ℹ️ The attacks, which have been underway since at least October 2023, appear to have intelligence gathering as their main goal. The attackers use various open-source and living-off-the-land tools in their operations. ℹ️ While attribution to a specific threat group cannot be determined, multiple tools used in the campaign have links to several China-based actors. Of note is the use of a proxy tool called Rakshasa and a legitimate application file used for DLL sideloading, both of which were previously used by APT41 (a.k.a Earth Baku, Brass Typhoon). ℹ️ A typical attack involves using a remote access tool that leverages Impacket to execute commands via WMI. The attackers then install keyloggers, password collectors, and reverse proxy tools (Rakshasa, Stowaway, ReverseSSH) to maintain connections to attacker-controlled infrastructure. ℹ️ The threat actors also install customized DLL files that act as authentication mechanism filters, allowing them to intercept login credentials. ℹ️ While the attackers in this campaign used a wide selection of TTPs that differed slightly between targeted organizations, the geographical location of targeted organizations, as well as the use of tools linked previously to China-based APT groups, suggests that this activity is the work of China-based actors. ℹ️ Tools leveraged in these attacks have been used by Chinese state-backed groups such as APT31 (a.ka. Fireant, Mustang Panda, Stately Taurus), APT41 (a.k.a Earth Baku, Brass Typhoon), APT27 (a.k.a Budworm, Emissary Panda, Lucky Mouse), and others. However, due to many of these groups frequently sharing tools and using similar TTPs, specific attribution, in this case, is not possible. Report: https://lnkd.in/dbxP9XGf #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense
Cybersecurity / Cloud Security Engineer In Training🛡 || Microsoft Azure || Blue Team || Cybersecurity & Risk Mitigation || Log Analysis & SIEM Management || Capture The Flag (CTF) Enthusiast ||
2dFlavio Queiroz, MSc, CISSP, CISM, CRISC, CCISO Tyvm for your amazing writeups I appreciate what you do and find it interesting and helps me to learn more about APTS and the way they process and flow through the attack chain