Months-Long Cyber Espionage Operation Hits Key Industries in Southeast Asia

An espionage campaign, active since October 2023, has targeted multiple critical organizations across Southeast Asia, impacting businesses associated with government ministries, aviation entities, telecommunications providers, and media outlets. Symantec's Threat Hunter team discovered and reported this intrusion, which identified tools and tactics consistent with those used by China-based advanced persistent threat (APT) groups, although specific attribution remains undetermined. "Tools leveraged in these attacks have been used by Chinese state-backed groups such as Fireant (aka Mustang Panda, APT31, Stately Taurus), Earth Baku (aka APT41, Brass Typhoon), Budworm (aka APT27, Emissary Panda, Lucky Mouse), and others. However, due to many of these groups frequently sharing tools and using similar TTPs, specific attribution in this case is not possible," Symantec's Threat Hunter team explains. The campaign's primary objective appears to be intelligence gathering, with threat actors maintaining prolonged access.

Prominent usage of Living-off-the-Land Binaries (LOLBins) was observed, including PowerShell, CMD, “reg.exe” for registry modifications, “schtasks.exe” for persistence, and WMI for remote command execution in conjunction with Impacket. The attackers' activity timeline spanned from May 27 to September 4, affecting four distinct machines. Throughout the intrusion, sensitive data was archived using WinRAR and exfiltrated to sites such as the file-sharing platform file[.]io. On Machine 1, the attackers initiated activity on May 27 at 14:15, using PowerShell to modify the “LocalAccountTokenFilterPolicy” registry key. Shortly after, at 14:18, WMI was used to execute commands remotely via Impacket. Reconnaissance activities followed at 14:22, involving commands like “netsh,” “net,” and “netstat” to gather network configuration details. On May 28, Symantec reported additional Impacket activity, registry modifications, and the creation of scheduled tasks. By May 30, the attackers executed commands like “fsutil fsinfo” to list file system drives and mounted network shares to facilitate data collection and exfiltration.

Activity on Machine 2 began on May 27 at 13:41, with commands executed via TightVNC to bypass UAC. The attackers used “reg add” to modify registry keys, once again tampering with the “LocalAccountTokenFilterPolicy” key to enable full administrative privileges for local accounts when connecting remotely by setting its value to 1. Later, at 15:08, further registry modifications hid specific user accounts, followed by password dumping using “reg save.” On May 28, additional executions via WMI were observed, creating persistence in the registry run key and a scheduled task for an executable masquerading as legitimate .NET framework components.

On Machine 3, activity was tracked on August 20 with the deployment of ReverseSSH for remote access. At 07:32, a scheduled task was created to execute a batch script, and WMI commands installed a keylogger disguised as “ChromeUpdate.exe.” Network reconnaissance followed at 08:11 using “ipconfig.” The attackers returned on September 4, creating additional scheduled tasks to execute batch scripts for ongoing access. On Machine 4, activity on August 6 involved executing a batch script (ime.bat) to install a new authentication mechanism called “Win32Pro.” Registry commands were used to add and query Windows Local Security Authority (LSA) settings. The “reg add” command added a new Kerberos authentication entry named “Auth0” with the value Win32Pro, while the “reg query” commands checked the values of “Notification Packages,” and “Security Packages,” logging all outputs to “c:\windows\ime\ime.log” for potential monitoring or debugging purposes.

The attackers’ exfiltration techniques involved compressing sensitive data with WinRAR and uploading the archives to file[.]io. The combination of LOLBins, scheduled tasks, and remote access tools demonstrates the threat actors’ capability to maintain long-term access and evade security measures. Symantec's in-depth reporting on this intrusion follows another report detailing a suspected China-based threat actor impacting a U.S. organization, demonstrating their ability to maintain stealth while compromising multiple workstations.