For years, a Chinese-speaking threat actor has been using a combination of custom malware, open-source tools, and living-off-the-land binaries in Windows and Linux environments to launch cyber-espionage attacks against various critical infrastructure sectors throughout Asia This article explores threat cluster known. . According to a recent report by Palo Alto Networks' Unit 42, the threat cluster, known as CL-UNK-1068, has been targeting aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications organizations throughout South, Southeast, and East Asia since at least 2020.
Attackers first obtain access by taking advantage of Web servers and using different Web shells, such as the GodZilla Web shell and an AntSword variant. These shells are used by the attackers to move laterally to more hosts and SQL servers after they have established an initial foothold.
Related: Cyberattacks in Latin America are now twice as common as in the US. The ultimate objective of the attacks is to steal credentials and exfiltrate sensitive data by the unidentified actor, who Unit 42 believes is connected to China based on language use, tool origin, and "their consistent, long-standing targeting of critical infrastructure in Asia," according to Fakterman. The use of legitimate Python binaries for side-loading, the use of unauthorized tunneling tools like FRP, and the execution of custom reconnaissance batch scripts are some important indicators that organizations should look for in their detections of CL-UNK-1068.
Security teams should also examine unusual RAR compression and Base64 encoding activity, harden Internet-facing Web servers, keep an eye out for Web shell deployments, and search for evidence of credential-dumping tools like Mimikatz, according to Fakterman.
