APT Group focuses on high-profile networks in Central Asia Security
Security companies have prevented an advanced cyber-espionage campaign by the Chinese APT, aimed at infiltrating a government agency and two companies.
Antivirus companies discovered and prevented a progressive cyber-espionage campaign aimed at a government agency and two companies in the telecommunications and gas sector.
The level of sophistication of the attack and the nature of the targets suggest the involvement of an advanced and ongoing threat, probably from China, targeting cyber-espionage in Central Asia.
Attackers have used numerous commercial malware and hitherto unknown backdoors in their attacks. Analysis of their code suggests a possible link with various campaigns that have been discovered over several years.
Most of the C2 used by cybercriminals is hosted by Choopa, LLC, while cybercriminals have often used Gh0st RAT, a malware attributed to cyber-espionage groups with connections to China.
The security companies ESET and Avast first discovered the attacks in September and January respectively. The researchers found a host used as a repository with hacking tools and backdoors, whose code has much in common with the malware previously associated with APT groups associated with China.
The examples we have analyzed include links to malware and examples of campaigns such as Microcin, BYEBY and Vicious Panda, previously described by Kaspersky, Palo Alto Networks and Check Point. The back doors we found are custom-made tools which, as far as we know, have not yet been analysed. Read Avast’s report. Most C&C servers are registered on the Choopa, LLC hosting platform, which was once used by cybercriminals.
Here is the diagram of the attacks that appear to be associated with the same threat unit.
The APT Group, which we believe originates from China, has set up backdoors to provide long-term access to corporate networks. Based on our analysis, we suspect that the group was also behind the attacks in Mongolia, Russia and Belarus.
ESET researchers investigating the attacks found three back doors, which were followed together as micro seas. Through the backdoors, the threatening actors could manage the target file system, create a remote shell, take screenshots, manage services and processes, and execute console commands.
Under the list of darkrooms published by ESET:
sqllauncher.dll (back door protected by VMP)
Rear door protected by VMP
logsupport.dll (back door protected by VMP)
sqllauncher.dll and logon.dll both operate as services and use the same C2 infrastructure. Experts have determined that they are all protected against reverse engineering. Two of them, sqllauncher.dll and logon.dll, work as services and share the same C2 server.
Attackers use a version of the post-execution facial expression tool and rely on the Windows Management Interface (WMI) for lateral movements.
Avast reported its findings to the local CERT team and contacted the telecommunications company. We haven’t received any response from any of the organizations.
Thanks to the samples analysed, Avast has recently protected users in Central Asia from new attacks.
Avast and ESET have both published a list of compromise indicators (IoC) for the above threats.
(Security issues – Malware Microcin, Hacking)
apt 10 group,apt groups and operations spreadsheet,advanced persistent threat solutions gartner,apt report,north korea apt,apt 31,apt 41,apt 39