FOCUS MODE
EXTRACT IOC
Threat Research

Emulating the Sophisticated Chinese Adversary Salt Typhoon

AttackIQ
Emulating the Sophisticated Chinese Adversary Salt Typhoon
Salt Typhoon, a Chinese APT group active since 2019, targets critical sectors, including Telecommunications and Government entities across multiple regions. Known for its advanced cyberespionage tactics, the group utilizes various tools and techniques to maintain access while evading detection. This includes exploiting Microsoft Exchange vulnerabilities and employing a range of persistence and privilege escalation techniques. AttackIQ’s new assessment template assists organizations in validating their security controls against Salt Typhoon’s evolving tactics. Affected: Telecommunications, Government entities, Internet Service Providers (ISPs)

Keypoints :

  • Salt Typhoon is a Chinese APT group also known as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286.
  • The group has been active since at least 2019, focusing on critical sectors like Telecommunications and Government.
  • It operates with advanced cyberespionage capabilities, employing multiple backdoors and hacking tools.
  • Utilizes PowerShell downgrade attacks to evade detection by Windows Antimalware Scan Interface (AMSI).
  • Exploits Microsoft Exchange’s ProxyLogon vulnerabilities for Remote Code Execution (RCE).
  • AttackIQ has developed an assessment template to help organizations validate security controls against Salt Typhoon’s activities.
  • Emulation of various TTPs exhibited by Salt Typhoon helps in evaluating security posture and detecting ongoing threats.

MITRE Techniques :

  • Execution: PowerShell (T1059.001) – Encodes a PowerShell script and executes it with the -encodedCommand parameter.
  • Execution: Visual Basic (T1059.005) – Attempts to execute a Visual Basic Script via cscript.exe.
  • Execution: Native API (T1106) – Uses CreateProcessA to run an executable payload.
  • Execution: Process Injection (T1055) – Performs process injection via VirtualAlloc and VirtualProtect.
  • Execution: DLL Search Order Hijacking (T1574.001) – Loads a rogue DLL into a trusted system binary.
  • Persistence: Registry Run Keys / Startup Folder (T1547.001) – Creates a registry entry for persistence.
  • Persistence: Scheduled Task (T1053.005) – Creates a scheduled task to maintain access.
  • Privilege Escalation: Access Token Manipulation (T1134) – Adjusts privileges to enable higher-level access.
  • Discovery: Query Registry (T1012) – Queries the MachineGUID from the Windows registry.
  • Command and Control: BITS Jobs (T1197) – Creates a BITS job to download a payload.

Indicator of Compromise :

  • [Domain] example.com
  • [IP Address] 192.168.1.1
  • [URL] http://malicious.com/path
  • [Email Address] attacker@example.com
  • [Hash] 5d41402abc4b2a76b9719d911017c592

Full Story: https://www.attackiq.com/2025/03/19/emulating-salt-typhoon/

Tags: PRIVILEGE, CLOUD, DISCOVERY, WINDOWS, APT, PAYLOAD, DEFENSE EVASION, EMAIL