NAIKON Threat Group Resurfaces

May 10, 2022

NAIKON Threat Group Resurfaces

Industry: Foreign Affairs, Government, Military, Science, Technology | Level: Tactical | Source: Cluster25

Cluster25 has recently identified advanced persistent threat (APT) group, NAIKON (aka Override Panda) as resurfacing. The threat group’s activity has been targeting countries in the Association of Southeast Asian Nations (ASEAN). An observed attack from the threat group begins with a phishing email containing a document with malicious VBA code that writes executables to the temp folder. Finally, a beacon using Viper, an offensive security framework is injected into svchost.exe. Based on the group’s past activity, their targets appear to be foreign affairs, government, military, science, and technology organizations aligned with Chinese interests. Their campaigns focus on intelligence collection and espionage.

  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Executable Process from Suspicious Folder
    • Rare Remote Thread

APT10/Cicada Espionage Attacks

April 12, 2022

APT10/Cicada Espionage Attacks

Industry: Government, Legal, Non-Governmental Organizations (NGOs), Pharmaceutical, Religious, Telecommunications | Level: Tactical | Source: Symantec

Symantec has been tracking an espionage campaign spanning over the course of several months (earliest sign mid-2021), tied to the Chinese APT group, APT10 (aka Cicada, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.) The APT group has previously targeted Japanese-linked companies, however recently they have expanded their attacks globally including Europe, Asia, and North America. Entities targeted by the group include government, legal, religious, and non-governmental organizations (NGOs) however, current campaign appears to have a focus on government and NGO entities. Previously, APT10 has focused primarily on Japanese companies however, in the present campaign, only one victim in Japan was identified. Techniques used in the threat campaign have involved exploiting Microsoft Exchange Servers for initial access with various tools used during the attack phase including WinRAR for data archival, Mimikatz, WMIExec, NBTScan, and the group’s custom tool Sodamaster. The tool Sodamaster is capable of evading sandbox checks, host enumeration, and downloading additional payloads.

  • Anvilogic Use Cases:
    • Common Reconnaissance Commands
    • Utility Archive Data
    • Mimikatz
    • Wscript/Cscript Execution
    • WinRM Tools
    • Query Registry

Deep Panda & Fire Chili Rootkits

April 05, 2022

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili.

Antlion APT Group

February 08, 2022

Antlion APT Group

Industry: Financial & Manufacturing | Level: Tactical | Source: Symantec

Symantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.

  • Anvilogic Use Cases:
    • WinRM Tools
    • Credentials in Registry
    • Remote Admin Tools
    • Locate Credentials

Chinese Cyber-Espionage Group Earth Lusca

January 25, 2022

Chinese Cyber-Espionage Group Earth Lusca

Industry: Education, Finance, Gambling, Government, News, Telecommunications and Religion |
Level: Operational | Source: TrendMicro

An identified Chinese cyber-espionage group Earth Lusca, has been conducting undercover operations on multiple institutions in a variety of locations of interest to the Chinese government whilst, also being financially-motivated for profit. Geographic spread is wide with the following industries education, finance – cryptocurrency, gambling, government, news, telecommunications and religion having been targeted. From TrendMicro’s, research the group’s operations began in mid 2021 targeting service companies with watering hole attacks. Additionally, initial access could be obtained from spear phishing campaigns or exploiting public-facing vulnerabilities such as ProxyShell or Oracle vulnerabilities.

  • Anvilogic Scenarios:
    • Earth Lusca – InitialAccess – Behaviors
    • Earth Lusca – PostExploit – Behaviors
  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • MSHTA.exe execution
    • Certutil De-Obfuscate/Decode Files
    • Potential ProxyShell

Stardust Chollima

November 24, 2021

Stardust Chollima

Industry: N/A | Level: Strategic | Source: DailyBeast

Observed by CrowdStrike, North Korean hackers designated as “Stardust Chollima,” are suspected of going after Chinese security researchers with the objective of stealing their hacking techniques. In June 2021, phishing emails were distributed containing malicious attachments titled “Securitystatuscheck.zip” and “_signed.pdf.” The emails contained references to China’s Ministry of Public Security and the National Information Security Standardization Technical Committee. The motive appears to be for the threat group to obtain new techniques and particularly zero days for offensive campaigns. It is currently unknown if there were any victims.