Researchers have documented an already an unknown threat an actor who aligns with the interests of China’s intelligence collection. The group mainly targets government and telecom organizations from Africa, Middle East and Asia, which is with the goal of maintaining long -term secret access to important systems.
In the last two years, researchers at Palo Alto Network have investigated separate groups of malicious activity that have now been held responsible for the same group: Phantom TaurusEarlier, the company tracked these attacks under temporary names, such as CL-STA-0043, TGR-STA-0043, or Operating diplomatic audience,
Researchers wrote in their new report, “Our comments suggest that the main focus areas of Phantom Taurus include the Ministries of Foreign Affairs, Embassies, Geophysical events and Military Operations.” “The primary purpose of the group is espionage. Its attacks are secret, firmness and the ability to quickly adapt their strategy, techniques and processes (TTPs).”
The part of the broad toolset of the group of custom-developed malware tools includes a suit of the Microsoft Internet Information Services (IIS) web servers. Other devices include in-memory visual basic script implants, a malware family called a speaker, including tunnelspector DNS tunling program and sweetspector remote access trojan, agent rackoon, plugx, GH 0 stem, China chopper, mimiches, mimicacities, efforts and many other double-utilities and many other double-u-utilities and system.
A change in strategy
Earlier, Phantom Taurus had focused on harvesting of mailboxes of interest from the exchange server, which was compromised using known weaknesses such as Proxilogone (CVE-2021-26855) and Proxisel (CVE-2021-34473). But this year researchers noticed that the attackers started searching and extracting data from the SQL database.
The group uses Windows Management Instrumentation (WMI) tool to execute a script mssq.bat It connects to a SQL database sa (System Administrator) ID with the first password received by the attackers. This then makes a dynamic discovery for specific keywords specified in the script, saving the results as the CSV file.
Researchers said, “The danger actor used this method to search for interest and information related documents from specific countries like Afghanistan and Pakistan.”
Net-star malware suite
This year is a set of a new web-based backdoor for a new web-based backdoor for the toolset of Phantom Torus designed to interact with the IIS web server.
The main component, called IISERVERCORE, operates within the memory of the W3wp.exe IIS process and is capable of loading other fileless payloads directly into memory, performing arbitrary command and command-line arguments.
Researchers wrote, “The initial component of Iiservercore is the ASPX web shell named Outlooken.aspx.” “This web shell contains an embedded base 64-Compressed binary, Iiservercore tackdoor. When the web shell is executed, it loads the backdor in memory w3wp.exe Invites the process and the run method, which is the main function of Iiservercore. ,
Another component, called the assembly V1, is designed to execute the .NET assembly bitecode in memory, while extended version, assembled, is capable of adorning the event trading for the assembly V2, Antimailware Scan Interface (AMSI) and Windows (ETW).
Researchers said, “The result of the gentle code structure appearing for the component is in the minimum flag by the antivirus engine on the virusotal at the time of writing this article,” the researchers said. “It shows a technique that actor of danger can use to create devices that avoid overt codes that can interpret the detection system malicious.”
Phantom Taurus uses APT operational infrastructure especially in the Phantom Taurus past in the past that contains APT operations associated with other Chinese danger actors, such as Iron Taurus (aka APT 27), Starchi Taurus (aka Winnant), and luxurious Taurus (aka Mustang Panda). However, the components of the specific infrastructure used by Phantom Taurus have not been observed with other groups, suggesting that it is a separate group that reduces its operation.
