Chinese hackers are known for their ability to hide in systems while silently filtering data, as well as their speed in exploiting new vulnerabilities and current events.
These features are evidenced in a number of recent reports from cybersecurity providers.
The war in Ukraine has been used as bait in phishing attempts by state-backed actor Mustang Panda, reports Cisco Talos. The Advanced Permanent Threat Group (APT) Mustang Panda, also known as TA416, RedDelta and Bronze President, has previously used issues such as international summits and pandemics as bait in its attempts at social engineering, and was recently seen attacking targets in Ukraine. , Russia, the United States, Myanmar, Hong Kong, Japan, Taiwan, Tibet, Afghanistan and India, using infected official documents.
The Mustang Panda typically deploys PlugX, a backdoor downloaded to the victim’s devices that allows the group constant access to infected systems, but has recently changed its methods, Talos said.
“Apart from the chosen Mustang Panda instrument, PlugX, we have seen a steady increase in the use of intermediate payloads, such as various stiders and reverse shells. The group is also constantly developing its delivery mechanisms, consisting of maldocs, shortcut files, malicious archives and rather viewed downloads, starting in 2022.
He continues: “Mustang Panda is a highly motivated APT group that relies heavily on the use of local lures and social engineering to trick victims into infecting themselves.”
Another Chinese-oriented hacker group, Moshen Dragon (also known as or affiliated with Nomad Panda and RedFoxtrot), also uses PlugX to maintain access, according to the security provider. SentinelOne.
This threat, which recently attacked telecommunications systems in Central Asia, also uses the more sophisticated malware ShadowPad, which has been the main backdoor for espionage operations in a number of campaigns, including CCleaner, NetSarang and ASUS supply chain attacks.
“PlugX and ShadowPad have a well-established history of use among Chinese-speaking threats, mainly for espionage. These tools have flexible, modular functionality and are compiled using silk code to easily bypass traditional endpoint protection products, ”the publication said.
The group hijacks security software from Kaspersky, Symantec, Trend Micro and others to deliver ShadowPad and other malware, then moves sideways through infected systems and creates a permanent presence. However, says SentinelOne, the problem is more a flaw in Windows than the fault of security providers.
“Instead of criticizing some of these products for abusing an urgent threat, we remind readers that this vector of attack reflects a centuries-old flaw in the design of the Windows operating system that allows a DLL search order to be hijacked.”
Meanwhile, Cybereason reports on the activities of Winnti (APT41, Axiom, Barium, Bronze Atlas), in which the prominent state-sponsored threatening actor apparently lies low and has been silently siphoning data for years.
Cybereason calls the attack “Operation CuckooBees“And says the targets include manufacturing companies in Europe, Asia and the United States targeting sensitive IP.
However, the attack involves many phases and is extremely effective in avoiding detection, making it impossible to know how many organizations may be affected, the company said.
“Winnti malware [includes] digitally signed rootkits at the kernel level, as well as a complex multi-stage infection chain that has allowed the operation to remain undetected since at least 2019.
These state-backed secret activities pose a serious long-term risk, Cybereason said.
“Cyber espionage does not usually generate the same degree of panic or media attention as other cyber attacks, but lack of attention does not make it any less dangerous. A malicious campaign that tacitly steals intellectual property for years is extremely costly and could have consequences for years to come. “
Join us at the CyberSecurity 2022 Festival, which runs for 3 days in June, where we will gather to learn, collaborate and tackle the biggest challenges for technology security. Learn more and register for free.