Since January 2022, over a dozen military-industrial complex firms and governmental organisations in Afghanistan and Europe have been targeted in order to acquire private data via six distinct backdoors.
The assaults were attributed "with a high degree of confidence" to a China-linked threat actor identified by Proofpoint as TA428, noting commonalities in tactics, techniques, and processes (TTPs).
TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacker organisation known as Mustang Panda (aka Bronze President).
The current cyber espionage effort targeted industrial units, design bureaus and research institutions, as well as government entities, ministries, and departments .departments in several East European countries and Afghanistan.
Penetration of company IT networks is accomplished through the use of carefully prepared phishing emails, including those that mention non-public information about the companies, to fool recipients into opening rogue Microsoft Word documents.
These decoy files include exploits for a 2017 memory corruption vulnerability in the Equation Editor component (CVE-2017-11882), which might allow arbitrary code to be executed in affected computers, eventually leading to the deployment of a backdoor known as PortDoor.
In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing efforts to breach into the computers of a defence firm that manufactures submarines for the Russian Navy. The use of six distinct implants, according to Kaspersky, is most likely an attempt by threat actors to develop redundant channels for managing infected hosts in the event that one of them should get recognised and removed from the networks.
The attacks culminate with the attacker hijacking the domain controller and taking total control of all of the organization's workstations and servers, using the privileged access to exfiltrate files of interest in the form of compressed ZIP packages to a remote server in China.
Other backdoors used in the assaults include nccTrojan, Cotx, DNSep, Logtu, and CotSam, a previously unreported malware named because of its resemblance to Cotx. Each offers significant capabilities for taking control of the systems and stealing sensitive data.
Ladon, a hacking framework that enables the adversary to scan for devices in the network as well as exploit security vulnerabilities in them to execute malicious code, is also included in the assaults.
"Spear-phishing remains one of the most relevant threats to industrial enterprises and public institutions," Kaspersky said. "The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion."
"At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked."
