In recent months, a relentless cyber attack campaign originating from China has been targeting the lucrative Southeast Asian gambling sector. This alarming campaign employs sophisticated techniques to deploy Cobalt Strike beacons on compromised systems, posing significant risks to the targeted industry. By examining the modus operandi of the threat actors, we can gain valuable insights into their attack methods and the evolving Chinese threat landscape.
Exploiting Vulnerabilities
The attackers exploit vulnerabilities in well-known executables such as Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan to achieve their nefarious objectives. By leveraging DLL hijacking techniques, the threat actors are able to coerce these executables into deploying Cobalt Strike beacons. This covert deployment allows them to establish persistent access to compromised systems, potentially leading to the exfiltration of sensitive data or disrupting critical operations.
Modified Installers and Malware Loader
To gain initial access, the attackers employ modified installers for popular chat applications. These tampered installers have been engineered to download a .NET malware loader that acts as a crucial second-stage component of the attack chain. Interestingly, the loader is configured to retrieve a second-stage ZIP archive hosted on Alibaba buckets, showcasing the attackers’ meticulous planning and use of legitimate services as camouflage.
Components of the ZIP File
The retrieved ZIP file contains three key elements: a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL, and an encrypted data file named “agent.data”. The attackers skillfully utilize the vulnerability in the executable to decrypt and execute code embedded in the data file, flawlessly implementing the Cobalt Strike beacon.
Execution of Cobalt Strike Beacon
The deployment of Cobalt Strike beacons enables attackers to gain full control over compromised systems. By leveraging vulnerable executables, such as Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan, threat actors decrypt and execute the code embedded in the data file. This execution brings the Cobalt Strike beacon to life, serving as a remote access tool that supports a multitude of malicious activities, including lateral movement, data exfiltration, and reconnaissance.
Ineffective Execution Halt
The attackers attempted to halt the execution of the loaders on machines located in specific countries such as Canada, France, Germany, India, Russia, the UK, and the US. However, these efforts were ultimately unsuccessful, highlighting the determination and global reach of the threat actors behind this campaign.
Ivacy VPN Certificate
An interesting discovery made by cybersecurity firm SentinelOne reveals that one of the .NET malware loaders, identified as “AdventureQuest.exe,” bears a digital certificate issued to Ivacy VPN, a Singapore-based VPN provider. This finding suggests the theft of the signing key at some point during the attack chain, further underscoring the sophisticated nature and international ramifications of this cyber campaign.
HUI Loader Variants
The side-loaded DLL files utilized in this campaign are attributed to HUI Loader variants. These custom malware loaders have been extensively observed in the activities of China-based threat groups such as APT10, Bronze Starlight, and TA410. This connection indicates shared operational tactics and infrastructure among China-nexus threat actors, showcasing a persistent threat landscape.
Sharing of Threat Tactics
The ongoing activities observed in this cyber attack campaign support the notion that China-based threat actors consistently share malware, infrastructure, and operational tactics. This coordinated sharing enhances their collective abilities and presents a continuing challenge to global cybersecurity defenders. The intricate nature of the Chinese threat landscape is further underscored by the breadth and depth of this campaign.
As the cyberattack campaign targeting the Southeast Asian gambling sector unfolds, it serves as a stark reminder of the ever-evolving threat landscape from China. The exploitation of vulnerabilities in widely used executables, the employment of modified installers, and the deployment of sophisticated malware loaders highlight the attackers’ technical prowess and commitment to their malicious objectives. To effectively combat such campaigns, increased international collaboration, information sharing, and robust cybersecurity measures will be essential. Only through a united effort can we hope to negate the persistent and evolving threats posed by China-nexus threat actors.