Category | Details |
---|---|
Threat Actors | Likely China-based attackers; potential links to Daggerfly and Crimson Palace espionage groups. |
Campaign Overview | Four-month-long intrusion targeting a U.S. organization with a presence in China, aimed at intelligence gathering. |
Target Regions | U.S. organization, possibly with interests extending to Southeast Asia. |
Methodology | Persistent network access, lateral movement, data exfiltration, and intelligence gathering. |
Product Targeted | Microsoft Exchange Servers (email harvesting), Active Directory. |
Malware Reference | CoreFoundation.dll, textinputhost.dat, gtn.dll. |
Tools Used | Impacket, FileZilla, PSCP (renamed as vmtools.exe), PsExec, PowerShell, reg.exe, WMI, GoogleToolbarNotifier, iTunesHelper, GoogleUpdate. |
Vulnerabilities Exploited | Not specified, but involved DLL sideloading, Kerberoasting, and potential use of public AD exploitation tools. |
TTPs | DLL sideloading, Kerberoasting, credential dumping, living-off-the-land techniques, exfiltration via FTP/SFTP. |
Attribution | Evidence points to Chinese APT groups; file usage and methodologies align with known Chinese tactics. |
Recommendations | Implement endpoint behavioral protection, monitor anomalous command-line activity, restrict PowerShell usage, and enable auditing of AD and Exchange servers. |
Source | Symantec |
Read full article: https://www.security.com/threat-intelligence/us-china-espionage
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply