Chinese-language APTs are targeting telecom companies in cyber-espionage campaigns aimed to steal sensitive data & trade secrets tied to 5G technology, explains researchers.
Researchers say China-linked APTs tempt victims with false Huawei career pages in what they dub ‘Operation Diànxùn’.
The campaigns, dubbed “Operation Diànxùn”, target & lure victims working in the telecom industry. A typical ploy includes a fake website designed to mimic telco-giant’s Huawei career page.
Initial Vector
“While the initial vector for the infection is not entirely clear. We believe with a medium level of confidence that victims were lured to a domain under control [a] the threat actor, from which they were infected with malware,” according to McAfee researchers in a Tues. report.
Given the tactics used in the campaign, researchers surmised it to be the work of known Chinese-language APTs Red Delta & Mustang Panda.
Red Delta was last believed to be behind cyber-attacks against the Vatican & other Catholic Church-related institutions in 2020.
In those attacks, adversaries leveraged spear phishing emails laced with malware that ultimately pushed the PlugX remote access tool (RAT) as the final payload.
Mustang Panda
Meanwhile, Mustang Panda has been linked to cyber-espionage attacks on non-governmental organisations (NGOs) with a focus on gathering intelligence on Mongolia by using shared malware like Poison Ivy or PlugX. The group also is known to shift tactics & adopt new tools quickly, researchers have noted.
This time around, the groups seem to be gunning for sensitive data & aiming “to spy on companies related to 5G technology,” researchers wrote.
The campaign is likely related to a number of countries’ decision to ban the use of Chinese equipment from Huawei in the global rollout of the next-generation wireless telecommunications technology, researchers suggested.
Multi-Phased Approach
The APTs used a multi-phased approach to the attacks, with the initial delivery vector likely coming in the form of a phishing attack using the internet as the 1st point of contact with victims, researchers suggested with “a medium level of confidence.”
When a victim falls for this aspect of the campaign, the 2nd phase executes a .NET payload on the victim’s endpoint by leveraging Flash-based artifacts malware, states the report.
Fake Flash Installer
“While the execution of the initial fake Flash installer acts mainly like a downloader, the [.NET] payload contains several functions & acts as a utility to further compromise the machine,” researchers observed.
“This is a tool to manage & download backdoors to the machine & configure persistence.”
Final Phase
In the 3rd & final phase of the attack, threat players create a backdoor for remote control of the victim via a Command & Control Server & Cobalt Strike Beacon, according to the report.
Researchers recommend “an adaptive & integrated security architecture” to defend against multi-layered attacks such as Diànxùn, “which will make it harder for threat actors to succeed & increase resilience in the business.”
https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/