A suspected China-based cyber espionage operation has targeted Southeast Asian military organizations as part of a state-sponsored campaign that dates back to at least 2020.
Palo Alto Networks Unit 42 is tracking the threat activity under the moniker CL-STA-1087, where CL refers to cluster, and STA stands for state-backed motivation.
“The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft,” security researchers Lior Rochberger and Yoav Zemah said. “The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”
The campaign exhibits hallmarks commonly associated with advanced persistent threat (APT) operations, including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom payload deployment designed to support sustained unauthorized access to compromised systems.
The tools used by the threat actor in the malicious activity include backdoors named AppleChris and MemFun, and a credential harvester called Getpass.
The cybersecurity vendor said it detected the intrusion set after identifying suspicious PowerShell execution, allowing the script to enter into a sleep state for six hours and then create reverse shells to a threat actor-controlled command-and-control (C2) server. The exact initial access vector used in the attack remains unknown.
The infection sequence involves the deployment of AppleChris, different versions of which are dropped across target endpoints following lateral movement to maintain persistence and evade signature-based detection. The threat actors have also been observed conducting searches related to official meeting records, joint military activities, and detailed assessments of operational capabilities.
“The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems,” the researchers noted.
Both AppleChris variants and MemFun are designed to access a shared Pastebin account, which acts as a dead drop resolver to fetch the actual C2 address stored in Base64-decoded format. One version of AppleChris also relies on Dropbox to extract the C2 information, with the Pastebin-based approach used as a fallback option. The Pastebin pastes date back to September 2020.
Launched via DLL hijacking, AppleChris initiates contact with the C2 server to receive commands that allow it to conduct drive enumeration, directory listing, file upload/download/deletion, process enumeration, remote shell execution, and silent process creation.
The second tunneler variant represents an evolution of its predecessor, using just Pastebin to get the C2 address, in addition to introducing advanced network proxy capabilities.
“To…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
