The article discusses the Stately Taurus cyber activity targeting organizations in ASEAN-affiliated countries, revealing its connection to the Bookworm malware. Unit 42 has identified the use of DLL sideloading techniques in these attacks, confirming the attribution of Bookworm to the Stately Taurus group after nearly a decade of unlinked observations. The findings include details about malware payloads and their command and control (C2) communications, alongside updates on the Bookworm malware’s evolution.
Affected: organizations in ASEAN countries, Myanmar, cybersecurity sector
Affected: organizations in ASEAN countries, Myanmar, cybersecurity sector
Keypoints :
- Unit 42 observed Stately Taurus activity targeting ASEAN-affiliated organizations.
- Identified overlaps between Stately Taurus infrastructure and the Bookworm malware.
- PubLoad malware was delivered via DLL sideloading techniques in earlier Stately Taurus attacks.
- Connection between the Bookworm malware and Stately Taurus confirmed after years of analysis.
- Recent Stately Taurus operations in Myanmar involved the use of a malicious payload.
- Advanced detection measures are offered by Palo Alto Networks to combat these threats.
MITRE Techniques :
- Execution (T1203) via DLL Side-Loading: Delivery of malware using a legitimate executable signed by an automation organization to load a malicious payload.
- Command and Control (T1071) via HTTP: Communication of the PubLoad payload with its C2 server utilizing HTTP requests that mimic legitimate URLs.
- Defense Evasion (T1070): Use of legitimate API callbacks to execute malicious shellcode while obscuring its origin.
Indicator of Compromise :
- [SHA-256] cf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86
- [SHA-256] fbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81
- [SHA-256] 5064b2a8fcfc58c18f53773411f41824b7f6c2675c1d531ffa109dc4f842119b
- [IP Address] 123.253.32.15
- [Domain] www.fjke5oe[.]com
Full Story: https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/