"Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs). These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments."
"Typical attack chains entail the exploitation of web servers to deliver web shells and move laterally to other hosts, followed by attempts to steal files matching certain extensions ("web.config," ".aspx," ".asmx," ".asax," and ".dll") from the "c:\inetpub\wwwroot" directory of a Windows web server likely in an attempt to steal credentials or discover vulnerabilities."
Palo Alto Networks Unit 42 identified a previously undocumented Chinese threat group called CL-UNK-1068 conducting a multi-year cyber espionage campaign against high-value organizations in South, Southeast, and East Asia. The campaign targets aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. The threat actor employs a diverse toolkit including custom malware, modified open-source utilities, and living-off-the-land binaries to maintain persistent access. Tools target both Windows and Linux environments, utilizing malware families such as Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy. Attack chains typically exploit web servers to deploy web shells, establish lateral movement, and steal files with specific extensions from Windows web server directories to obtain credentials or identify vulnerabilities.
#chinese-threat-actor #cyber-espionage #web-shell-exploitation #multi-platform-malware #asia-pacific-targeting
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]