The Chinese APT Groups have intensified their cyberespionage campaigns against organizations more than ever before. Read on to know more…
According to security researchers various Chinese cyber threat groups have been active since 2013 and is waging cyber espionage campaigns targeting organizations throughout the world. One of these Chinese threat groups is OceanLotus, also known as APT32, APT-C-00, Ocean Buffalo, SeaLotus, are among its many names. This APT group have waged long-term espionage campaigns that target a variety of industries and governments.
Campaign Against Southeast Asian Governments
The OceanLotus group conducts cyber-espionage against organizations of interest to the Vietnamese government. It has attacked Southeast Asian countries, such as Cambodia, Laos, and the Philippines. According to recent research, OceanLotus has launched a campaign against the Cambodian government leveraging an ASEAN-themed spear-phishing attack.
The group has been discovered to have launched several campaigns via fake websites and Facebook pages. These websites profile users, redirect them to phishing pages, and propagate malware payloads for OSX and Windows. This malware campaign is conducted leveraging an RAR archive named Adobe_Flash_Install.rar to impersonate an adobe installation and subsequently, deliver the malware. The threat actors, moreover, used cloud storage to host malware payload files.
FunnyDream
Bitdefender researchers discovered a Chinese APT group stealthily attack Southeast Asian governments. Although much of the C&C servers were found to be offline, the operations are still functional. The cyberespionage group dubbed FunnyDream has already impacted more than 200 systems across the region over the past couple of years. The analyzed attacks were identified to have three malware payloads – FunnyDream, Chinoxy, and PcShare.
Malware Toolset
The Chinoxy dropper uses the Logitech Bluetooth Wizard Host Process to evade detection and abuse a side-loading attack to load the backdoor dll into the memory. The PcShare is a Chinese RAT used to accumulate intelligence from affected hosts.
FunnyDream, a custom-made backdoor, is used for intelligence gathering and data exfiltration. This powerful backdoor supports advanced persistence and communication functionalities.
Other China-based APT Groups
Cicada, also known as APT10, has been making home in the networks of organizations functioning in the pharma, automotive, and engineering sectors by exploiting the Microsoft Zerologon vulnerability. The campaign is found to be launched against several Japanese companies, with subsidiaries across 17 regions worldwide.
Another China-based APT group was found sending spear-phishing emails distributing an intelligence-collecting RAT, known as Sepulchre. This never-seen-before RAT has been targeting European officials and Tibetan dissidents.
The Ground Reality
The malware sports various capabilities such as capturing files, taking snapshots, entering internal networks, logging keystrokes, and bypassing network limits. The earliest indication of the attack dates back to 2018, with increased activity witnessed since early-2019. The backdoor used by the threat actors is way too complex and thus, experts suggest organizations to stay wary and secure.
The OceanLotus APT group is constantly developing its TTPs as it is not just focused on spear-phishing attacks and exploiting compromised websites. As the threat actor has created its own fake website to launch attacks, experts anticipate the group to lean towards organized cyberattacks in the near future.