High-value organizations located in South, Southeast, and East Asia have been targeted by a Chinese threat actor as part of a years-long campaign.
The activity, which has targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, has been attributed by Palo Alto Networks Unit 42 to a previously undocumented threat activity group dubbed CL-UNK-1068, where “CL” refers to “cluster” and “UNK” stands for unknown motivation.
However, the security vendor has assessed with “moderate-to-high confidence” that the primary objective of the campaign is cyber espionage.
“Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs),” security researcher Tom Fakterman said. “These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments.”
The tools are designed to target both Windows and Linux environments, with the adversary relying on a mix of open-source utilities and malware families such as Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP), all of which have been put to use by various Chinese hacking groups.
While both Godzilla and ANTSWORD function as web shells, Xnote is a Linux backdoor that’s been detected in the wild since 2015 and has been deployed by an adversarial collective known as Earth Berberoka (aka GamblingPuppet) in attacks aimed at online gambling sites.
Typical attack chains entail the exploitation of web servers to deliver web shells and move laterally to other hosts, followed by attempts to steal files matching certain extensions (“web.config,” “.aspx,” “.asmx,” “.asax,” and “.dll”) from the “c:\inetpub\wwwroot” directory of a Windows web server likely in an attempt to steal credentials or discover vulnerabilities.
Other files harvested by CL-UNK-1068 include web browser history and bookmarks, XLSX and CSV files from desktops and USER directories, and database backup (.bak) files from MS-SQL servers.
In an interesting twist, the threat actors have been observed using WinRAR to archive the relevant files, Base64-encoding the archives by executing the certutil -encode command, and then running the type command to print the Base64 content to their screen through the web shell.
“By encoding the archives as text and printing them to their screen, the attackers were able to exfiltrate data without actually uploading any files,” Unit 42 said. “The attackers likely chose this method because the shell on the host allowed them to run commands and view output, but not to directly transfer files.”
One of the techniques employed in these attacks is the use of legitimate Python executables (“python.exe” and “pythonw.exe”) to launch DLL side-loading attacks and stealthily execute malicious DLLs, including FRP for persistent access, PrintSpoofer, and a Go-based custom scanner named ScanPortPlus.
CL-UNK-1068 is also said to have engaged in reconnaissance efforts using a custom .NET tool named SuperDump as far back as 2020. Recent intrusions have transitioned to a new method that uses batch scripts to collect host information and map the local environment.
Also utilized by the adversary are a wide range of tools to facilitate credential theft –
“Using primarily open-source tools, community-shared malware and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations,” Unit 42 concluded.
“This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions.”
