A sophisticated cyber espionage campaign linked to China has targeted military organizations across Southeast Asia, according to cybersecurity firm Palo Alto Networks. This operation, reportedly ongoing since at least 2020, is attributed to a state-backed threat group known as CL-STA-1087. The group has demonstrated significant patience, remaining inactive within compromised systems for extended periods.
Stealthy Operations and Targets
The espionage efforts involved meticulous searches for sensitive military data, including details about capabilities and joint initiatives with Western forces. Palo Alto Networks highlighted the use of specialized tools such as the AppleChris and MemFun backdoors, alongside the Getpass credential stealer. These tools were deployed alongside malicious PowerShell scripts to control multiple infected machines remotely.
Although the initial method of compromise remains unidentified, it was found that the attackers had sustained access to an organization’s network for months before initiating further activities. Notably, the hackers utilized PowerShell scripts to establish reverse shells, facilitating communication with their command-and-control (C&C) servers. Subsequently, they deployed the AppleChris backdoor and exploited WMI and native Windows commands to infiltrate various critical systems.
Advanced Malware Techniques
To maintain persistence, the attackers implemented new services and malicious DLL files within the System32 directory, exploiting DLL hijacking techniques. This allowed them to execute their payloads covertly. As they expanded their infiltration, they focused on acquiring sensitive files, including operational assessments and military strategy documents related to C4I systems.
The group used multiple iterations of the AppleChris backdoor, with earlier versions utilizing Dropbox and Pastebin for communication. A more recent variant, known as Tunneler, incorporated advanced network proxy features while relying solely on Pastebin. This backdoor enabled the attackers to perform various tasks, such as file manipulation and remote command execution.
Continued Threat and Implications
In addition to AppleChris, the hackers employed MemFun, a multi-stage malware that leverages reflective DLL loading for its operations. They also deployed a customized version of Mimikatz, named Getpass, to harvest credentials from specific Windows authentication packages.
Analysis of the attackers’ activities suggests they have been active since 2020, with evidence indicating ongoing communication through platforms like Pastebin and Dropbox. Palo Alto Networks’ investigation also revealed that the group operates in alignment with time zones typical of China and other Asian regions, reinforcing suspicions of their geographic origin.
This campaign’s focus on Southeast Asian military entities and the use of China-based infrastructure, along with Simplified Chinese on C&C interfaces, strongly indicates that the group is operating from China. The continued evolution and sophistication of such operations underscore the persistent threats faced by military organizations in the region.
