![]() SessionManager is a custom backdoor that enables its operators to upload and download files from a compromised web server, run commands, and use the web server as a proxy to communicate with additional systems on the network. They were previously attributed to the group and observed in a 2020 espionage campaign targeting several entities in Laos. The cyberespionage group's involvement in this campaign was confirmed by its use of two rarely seen backdoors, OwlProxy and SessionManager. ![]() The Gelsemium APT group also conducted espionage activity between Q3 and Q4 2022, specifically targeting vulnerable IIS servers and focusing on conducting discreet reconnaissance and maintaining persistent access to targeted networks. This was then followed by the deployment of additional tools," the researchers said. Each wave started with web server exploitation as well as installation of web shells and reconnaissance. "Our analysis of the activity showed a repetitive style of attack, in which the threat actor attacked in waves. The hackers used these tools to steal credentials, move laterally inside networks and gain access to domain controllers. The espionage group also used two previously unknown backdoors - dubbed Zapoa and ReShell, remote access Trojans such as GhostCringe and Quasar, and the brute-forcing tool Kerbrute to infiltrate targeted organizations' networks. ![]() Gallium began the espionage campaign in early 2022, using Exchange Server vulnerabilities to deploy a large number of web shells that facilitate the injection of malware specially crafted for target environments. Unit 42 researchers also reported with moderate confidence that another Chinese cyberespionage group, popularly known as Gallium and tracked by Palo Alto as Alloy Taurus APT, had run a parallel espionage campaign using a cluster of novel backdoors and hacking tools to establish persistence in victim networks and conduct reconnaissance. Security firm Eset reported in March that the group had been using a previously unseen malware backdoor in attacks on governmental organizations in Europe and Asia (see: Chinese APT Group Deploying New Malware Backdoor). Mustang Panda has historically been associated with espionage attacks on foreign governments, nongovernmental organizations and groups considered hostile to Chinese interests. The cyberespionage group first surfaced in Q1 2021 and typically uses ToneShell and ShadowPad backdoors to gather intelligence and maintain persistence inside victim networks. Researchers attributed many attacks to Chinese advanced persistent threat group Mustang Panda, which Palo Alto tracks as Stately Taurus. The espionage actors conducted long-term surveillance of their targets before launching the attacks. Palo Alto Network's Unit 42 researchers in early 2023 found evidence of three distinct Chinese cyberespionage groups - Mustang Panda, Gallium and Gelsemium - carrying out simultaneous cyber operations targeting a single Southeast Asian country. ![]() See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape Researchers attributed the hacks to APT group Mustang Panda, known for espionage attacks on foreign governments. Three suspected Chinese espionage actors aimed a series of cyberattacks against an unnamed Southeast Asian country's critical infrastructure, healthcare and government organizations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |