Chinese gov’t hackers using 'diverse' toolset to target Asian prime ministers, telecoms
Hackers associated with the Chinese military are leveraging a wide range of legitimate software packages in order to load their malware payloads and target government leaders across Asia, according to the Symantec Threat Hunter team.
The attacks involve a widely-used technique known as Dynamic-link library (DLL) side-loading. The tactic takes advantage of how Microsoft Windows applications handle DLL files and involves malware that places a malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file.
The Symantec Threat Hunter team said the campaign targeted a range of government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.
Government organizations tied to finance, aerospace and defense companies were also targeted alongside state-owned telecoms, IT organizations and media companies.
Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter team, told The Record that what stood out most to him was how frequently they see this group use DLL side-loading in their attacks.
“This tactic has been known for a very long time now, but it is obviously still yielding results for them. You can't just use any application for it,” O’Brien said. “Most software now has built in-protections against the technique, which is why the attackers are installing old software for this purpose. In some cases, the applications used are more than a decade old.”
Symantec researchers said the campaign is tied to a distinct group of espionage attackers previously tied to the use of the ShadowPad remote access Trojan — a tool used used widely by an ever–increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups. Its origins are linked to known MSS contractors who were first seen using the tool in their own operations before it was spread among other government groups.
The latest campaign started in 2021 and is “almost exclusively focused” on intelligence gathering on government or public entities.
Symantec found that the attacks leveraged a wide range of legitimate software packages in order to load their malware payloads, with the attackers using multiple software packages in a single attack.
“In many cases, the software used was old and outdated versions of software, including security software, graphics software, and web browsers. In some cases legitimate system files from the legacy operating system Windows XP were used,” the researchers explained.
“The reason for using outdated versions is that most current versions of the software used would have mitigation against side-loading built-in.”
After gaining access through a backdoor, the attackers typically used tools to steal credentials and then moved to using network scanning tools as a way to find other computers that would be easy to exploit.
As an example, the researchers went through an incident that targeted a government-owned organization in the education sector in Asia. The attack began on April 23 and the hackers stayed on the network until July.
While inside the network, the attackers attempted to take advantage of CVE-2020-1472 – a Netlogon vulnerability the U.S. agencies said was one of the most exploited bugs in 2021. Symantec noted that the attackers also used CVE-2021- 26855, another widely-exploited Microsoft vulnerability.
By May 16, the hackers began to move laterally around the organization’s network, using a range of information stealers, keyloggers and more to steal data. The hackers also took screenshots and collected other data during their time in the network.
According to Symantec, there is evidence linking the group behind the attacks to previous incidents involving the Korplug/PlugX malware and to attacks by a number of known groups, including Blackfly/Grayfly (APT41), and Mustang Panda.
Other tools found by Symantec researchers had ties to a long-running campaign involving Korplug/Plug X targeting the Roman Catholic Church.
Some of the keylogging tools deployed in this attack were previously seen in attacks against critical infrastructure in South East Asia, the researchers added.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.