Tag Archive for: espionage

Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms

/in


The Stealth Soldier campaign marks the possible reappearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Check Point Research has recently uncovered a series of highly-targeted espionage attacks in Libya, shedding light on a previously undisclosed backdoor called Stealth Soldier. This sophisticated malware operates as a custom modular backdoor with surveillance functionalities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.

The campaign, which appears to be targeting Libyan organizations, marks the possible re-appearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Advanced Espionage Malware "Stealth Soldier" Hits Libyan Firms

Stealth Soldier, an implant used in limited and targeted attacks, has shown active maintenance with the latest version, Version 9, compiled in February 2023. Check Point Research’s investigation began with the discovery of multiple files submitted to VirusTotal between November 2022 and January 2023 from Libya.

These files, named in Arabic, such as “هام وعاجل.exe” (Important and Urgent.exe) and “برقية 401.exe” (Telegram 401.exe), turned out to be downloaders for different versions of the Stealth Soldier malware.

The execution flow of Stealth Soldier starts with the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader remains unknown, social engineering is suspected.

The malware’s infection process involves downloading multiple files from the Command and Control (C&C) server, including the loader, watchdog, and payload. These components work together to establish persistence and execute the surveillance functionalities.

First, the loader downloads an internal module called PowerPlus to enable PowerShell commands and create persistence. Then, the watchdog periodically checks for updated versions of the loader and runs it accordingly. Finally, the payload collects data, receives commands from the C&C server, and executes various modules based on the attacker’s instructions.

The victim’s information collected by the Stealth Soldier’s payload includes the…

Source…

A long march: China’s military-industrial espionage

/in


This article is adapted from the authors’ new book, Battlefield Cyber: How China and Russia are Undermining our Democracy and National Security (Prometheus, August 2023, available for preorder here).

Recent revelations that Chinese state-sponsored hackers penetrated US critical infrastructure and have the ability to disrupt oil and gas pipelines, rail systems, and the US Navy’s communications in the Pacific theater should come as no surprise. China’s pursuit of digital dominance has been decades in the making.

Reveille for China’s planners was sounded in the early 1990s during the Gulf War, in which the United States and its allies effortlessly toppled Iraqi forces. The first conflict of the digital era demonstrated to Chinese strategists the critical role of information technology on and off the battlefield.

Chinese leaders watched with dismay as the American military routed and dismantled the Iraqi military in what is considered one of the most one-sided conflicts in the history of modern warfare.

Going into the first Gulf War, Iraq’s military was ranked fourth in the world – having ballooned to more than a million troops who had been trained on weapons financed by the West to fight its bloody eight-year war with Iran.

The Chinese military, although larger in headcount at the time, paled in technological comparison with the forces commanded by Saddam Hussein. At the time, China’s air force consisted of a few fighter jets, mostly of its J-7 model – an indigenously produced replica of the Russian 1960s-era MiG-21.

Iraq’s air force, by contrast, was made up of far more advanced fighters, such as the Russian MiG-29, and its planes were supported by advanced antiaircraft missile defense systems. Yet even those advanced weapon systems proved wholly ineffective against 1990s-era American technology.

“The Chinese looked at Iraq and saw an army similarly equipped as theirs with old Soviet weaponry, and they saw how quickly the Iraqis were taken apart,” says analyst Scott Henderson of the cybersecurity firm Mandiant. Henderson was with the US Army at the time, specializing in China.

“A lot of the ease of victory had to do with the…

Source…

Previously Undiscovered Team of State-Sponsored Chinese Hackers, Has Been Quietly Committing Cyber Espionage in the APAC Region for a Decade

/in


A new advanced persistent threat (APT) group linked to China has been discovered by SentinelLabs, but only after conducting cyber espionage campaigns under the radar since 2013. The Chinese hackers have been given the name “Aoqin Dragon,” appear to specialize in targeting the Asia Pacific region and likes to lure victims with malicious documents that appear to be salacious ads for pornography sites.

Stealthy Chinese hackers focused on Australia and Southeast Asia

The cyber espionage group is thought to have been in action since at least 2013, with a heavy focus on certain APAC countries and regions: Australia, Cambodia, Hong Kong, Singapore, and Vietnam. The group also focuses in on government agencies, educational institutions and telecommunications firms, and appears to target individuals involved in political affairs.

The group’s favorite approach is a fairly simple one, and has remained consistent over the years: get the victim to open malicious documents, such as PDF and RTF files. Since 2018 the group has also been observed utilizing fake removable devices via bogus shortcut files delivered to victims using Windows computers; when targets attempt to open the fake device in Windows Explorer, the Evernote Tray Application is hijacked to load a malicious DLL that quietly creates a backdoor for the attackers. The group has also been observed using fake antivirus executables.

The Chinese hackers have shown some connections to another threat group, referred to as “UNC94” (or “Naikon”) by Mandiant, that has been tracked for some years now and has also shown links to the Chinese government in its operations. Both groups employ advanced tactics, such as DNS tunneling and the use of Themida-packed files to create a virtual machine that can evade most malware detection.

The link to the Chinese government is based primarily on the group’s use of Chinese language in its malware and the targets of its cyber espionage, which are almost always of clear political interest to the CCP. The group is also not noted for engaging in the for-profit activities or target selection that would be expected of a criminal outfit.

Cyber espionage targets, tools and tactics point to low-key…

Source…

Trend Micro fixes bug Chinese hackers exploited for espionage

/in


Dragon

Trend Micro says it patched a DLL hijacking flaw in Trend Micro Security used by a Chinese threat group to side-load malicious DLLs and deploy malware.

As Sentinel Labs revealed in an early-May report, the attackers exploited the fact that security products run with high privileges on Windows to plant and load their own maliciously crafted DLL into memory, allowing them to elevate privileges and execute code.

“Trend Micro is aware of some research that was published on May 2, 2022, regarding a purported Central-Asian-based threat actor dubbed ‘Moshen Dragon’ that had deployed malware clusters that attempted to hijack various popular security products, including one from Trend Micro,” the cybersecurity company said.

After analyzing the report and its product line, the company discovered that only the Trend Micro Security consumer-focused product was affected, with no other commercial or business products impacted.

“For Trend Micro Security (Consumer), a fix was deployed via Trend Micro’s ActiveUpdate (AU) on May 19, 2022, and any user with an active internet connection should receive the update shortly if they have not yet already received it,” the antivirus vendor added.

DLL hijacking bugs in multiple security products

The Moshen Dragon group also reportedly abused similar bugs in security products from Bitdefender, McAfee, Symantec, and Kaspersky to install Impacket, a Python kit designed for lateral movement and remote code execution via Windows Management Instrumentation (WMI).

Impacket also has credential-stealing capabilities powered by an open-source tool used to capture the details of password change events on a domain

Moshen Dragon attack flow
Moshen Dragon attack flow (Sentinel Labs)

According to Sentinel Labs, the final payloads dropped by the Moshen Dragon operators include variants of PlugX and ShadowPad, two backdoors used by multiple Chinese APTs in recent years.

The threat actors have used these tactics to target telecommunication service providers in Central Asia with the end goal of exfiltrating data from as many systems as possible.

While Trend Micro has published an advisory detailing the mitigation measures taken to stop Moshen Dragon from abusing its security products for…

Source…