Southeast Asian military organizations have been targeted in a China-linked cyberespionage campaign running for years, Palo Alto Networks reports.
Likely ongoing since at least 2020 and attributed to a state-sponsored threat actor tracked as CL-STA-1087, the activity shows a high degree of patience, as the attackers stayed dormant in the compromised environments for months.
“The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces,” Palo Alto Networks notes.
As part of the observed intrusions, the hackers deployed custom tools, such as the AppleChris and MemFun backdoors and the Getpass credential stealer, and executed malicious PowerShell scripts remotely on multiple infected systems.
While the initial infection vector has not been identified, Palo Alto Networks determined that, in at least one instance, CL-STA-1087 had access to an organization’s environment for months before resuming its operations.
The attackers deployed PowerShell scripts designed to create reverse shells to a command-and-control (C&C) server and used the access to drop the AppleChris backdoor. Next, they relied on WMI and native Windows .NET commands to infect domain controllers, web servers, IT workstations, and executive-level systems.
As part of the renewed activity, the Chinese spies created a new service for persistence and payload execution, and stored a malicious DLL in the System32 folder, abusing DLL hijacking to load it via a shadow copy service.
Following lateral movement, the hackers started searching for sensitive files such as official meeting records, assessments of operational capabilities, and details of joint military activities.
“The attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems,” Palo Alto Networks explains.
The threat actor deployed multiple variants of the AppleChris backdoor: an earlier development iteration that used a Dropbox account and a Pastebin as the dead drop resolvers, and a Tunneler variant relying only on Pastebin but adding advanced network proxy capabilities.
The backdoor dynamically resolves its C&C server’s IP address to receive commands, allowing it to enumerate drives, list directories, download/upload/delete files, enumerate processes, execute shell commands remotely, and create processes.
In addition to AppleChris, the hackers deployed MemFun, a multi-stage malware family that relies on reflective DLL loading for the execution of the main backdoor.
Furthermore, they were seen deploying Getpass, a custom version of Mimikatz targeting 10 specific Windows authentication packages for credential harvesting.
Based on Pastebin creation dates and the compilation timestamps of the analyzed malware, Palo Alto Networks believes that the espionage group has been active since at least 2020.
“Our analysis suggests that the attackers maintained communication with multiple compromised networks over an extended period, leveraging Pastebin and Dropbox for C&C distribution. Evidence suggests the threat actor behind the activity cluster continues to update their Dropbox account with updated infrastructure files,” the cybersecurity firm notes.
Palo Alto Networks’ investigation also revealed that the attackers’ operational schedule aligns with a UTC+8 time zone schedule, which represents the typical office hours across China and other Asian regions.
The targeting of military organizations in Southeast Asia, the use of China-based cloud network infrastructure, and the use of Simplified Chinese on a login page for a C&C server suggest that the state-sponsored group behind this campaign is likely operating out of China, Palo Alto Networks says.
Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments
Related: Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs
Related: Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group
Related: Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms
