Summary:
A targeted attack on a large U.S. organization with a presence in China involved a China-based threat actor who gained persistent access for intelligence gathering. The attackers utilized various tools and techniques, including DLL sideloading and lateral movement across the network, to compromise multiple machines and exfiltrate data. The attack spanned from April to August 2024, highlighting the sophistication of the methods employed.
#TargetedAttack #IntelligenceGathering #DLLSideloading
A targeted attack on a large U.S. organization with a presence in China involved a China-based threat actor who gained persistent access for intelligence gathering. The attackers utilized various tools and techniques, including DLL sideloading and lateral movement across the network, to compromise multiple machines and exfiltrate data. The attack spanned from April to August 2024, highlighting the sophistication of the methods employed.
#TargetedAttack #IntelligenceGathering #DLLSideloading
Keypoints:
Attack targeted a large U.S. organization with operations in China.
Attackers likely associated with a China-based threat actor.
Persistent presence on the network for intelligence gathering.
Attack timeline spanned from April to August 2024.
Compromised multiple computers, including Exchange Servers.
Used DLL-sideloading techniques with legitimate applications.
Employed tools like Impacket, FileZilla, and PSCP for lateral movement.
Executed commands via WMI and PowerShell for reconnaissance and credential dumping.
Targeted email data and service accounts for exfiltration.
Indicators of compromise include specific file hashes and malicious tools.
MITRE Techniques:
Credential Dumping (T1003): Used reg.exe to dump credentials from the registry.
Remote File Copy (T1105): Utilized PSCP and FileZilla for transferring files.
Command and Control (T1071): Leveraged various command and control domains for communication.
DLL Sideloading (T1073): Used legitimate applications to load malicious DLLs.
Kerberoasting (T1558): Executed commands to query Active Directory for service principal names.
Living off the Land (T1203): Used built-in Windows tools like PowerShell and PsExec for lateral movement.
IoC:
[File Hash] 9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4
[File Hash] 51fe904458e216e75909f82a33dc4f163250b498b4e2d365880184e806d3db1a
[File Hash] 23221b6f95b9e3b165a84570212f2c8681cf888aa0fa78822f8500357eeafaf0
[File Hash] 86fd8328765e4803feedf5878a08c149c08d47c336578261a08a3e1933b68daa
[File Hash] 472a513eb60cba4a2320ebbc10d84679ebaa1a8f90e5a3764902a456b3936a17
[File Hash] f2fa6ae29306ed7171f2e9563ced9bbd6e337ed8c389b319df3c6b46eeb050f0
[File Hash] c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0
[File Hash] edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
[File Hash] 1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d
[File Hash] d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae
[URL] hxxp://149.28.154[.]23:443
Full Research: https://symantec-enterprise-blogs.security.com/threat-intelligence/us-china-espionage