Overview
SECUINFRA Falcon Team • 12.04.2023

Beijing Calling: Chinese APTs are targeting European Governments and Businesses

In a recent TLP:CLEAR publication the European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups. In contrast to other nation state-backed Threat Groups from e.g. North Korea, who seek to profit financially from cyber attacks, Chinese Threat Actors are motivated to conduct political and industrial espionage and establish long-term persistence. In this news bulletin we would like to inform you about the Chinese APT groups that are currently active and their respective tools and techniques.

APT27

This Threat Group, sometimes also referred to as “Lucky Mouse”, has been targeting foreign embassies and organizations to gather intelligence on political, defense and technology sectors for more than a decade. In addition to free/open-source and system tooling they employ Malware known from the China-Nexus like HyperBro and PlugX.

Another piece custom piece from their toolkit is a backdoor called “SysUpdate”. TrendMicro recently found that this previously Windows-only Malware is now also targeting Linux systems, as can be seen in Figure 1 below. SysUpdate’s features include information retrieval (Screenshots, System information), and different Execution options (Process/Service, File Manager, Remote Shell). A subset of samples also contains a feature to use Domain Resolution (DNS) traffic for its Command&Control communications.

Figure 1: SysUpdate (Linux version) establishes persistence through systemd

APT31

The activities of APT31 are, compared to other Chinese Threat Groups, more stealthy, less frequent and completely separate from other groups. They focus on exploitation of different software to gather political, economic and military intelligence. In 2021 researchers uncovered the so-called “SoWaT” backdoor, targeting Routers (MIPS architecture) in multiple western European countries. Figure 2 shows a screenshot of the analysis of the backdoor and contains a few hints on its functionality: manipulating router settings and receiving remote commands. The complexity of the Command&Control traffic handling and encryption shows that this backdoor was designed for covert deployment. A thorough analysis of the backdoor was conducted by imp0rtp3.

Figure 2: SoWaT backdoor, string view gives hints to functionality

APT15

In recent reporting done by Palo Alto Networks Unit42 the APT15 Advanced Persistent Threat group was specifically targeting Iranian government infrastructure with a custom Windows backdoor called “Turian”, which was first spotted in 2021 by ESET. APT15’s tooling is comparable in sophistication with the other Threat groups in this article, but currently attributed campaigns show that their current focus is on countries in the Middle East, Africa and North/South America.

Mustang Panda

Mustang Panda’s activity dates back to at least 2017/2018, when they were first targeting Mongolia for intelligence gathering purposes. The Threat group is known for a somewhat more overt approach to compromising political targets, with their preferred tool being malicious office documents or document lures combined with (file-less) Malware, as can be seen in Figure 3. Another tool of choice for them are customized versions of PlugX/Korplug.

Figure 3: Contents of a RAR archive distributed by Mustang Panda, contains document lures and Malware

ESET recently discovered a new backdoor attributed to Mustang Panda which they named “MQsTTang” after the utilized MQTT Network protocol used for their Command&Control infrastructure (see Figure 4).

Figure 4: MQsTTang backdoor communicating via the MQTT Protocol

Detection and Response Measures

We second the measures proposed by CERT-EU and would like to highlight a few of them that will have a large impact on security posture of organizations in focused branches:

  • Establishing Log collection and monitoring for security events on assets and networking equipment.
  • Protection of assets (clients, servers) should be reinforced through the use of an Endpoint Detection & Response (EDR) solution and continuous monitoring.
  • Manage vulnerabilities through a centralized system and keep up with patch cycles.
  • Conduct regular assessments of your environment, either in an offensive (Pentests, Red-Teaming) or a defensive nature (Compromise Assessments).
  • Prepare a thorough backup strategy and Incident Response plans and test them periodically.
  • Create user awareness for possible malicious activity with e.g. Phishing simulation and targeted trainings.

Hashsums for the mentioned samples

APT27 – SysUpdate

e9c6e9aba10b5e26e578efc6105727d74fbd3a02450fbda2b4ee052b3fbbaecb

APT31 – SoWaT

1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2

MustangPanda

RAR – 447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197

MQsTTang backdoor – 4936b873cfe066ec5efce01ef8fb1605f8bc29a98408a13bc8fe4462b2f09c5a

Share post on:

XING
Twitter
LinkedIn

SECUINFRA Falcon Team • Autor

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

> all articles

CYBER DEFENSE.

MADE IN GERMANY.

Our portfolio

About SECUINFRA

©2024 SECUINFRA GmbH. All rights reserved.

Cookie Consent with Real Cookie Banner