A cyber espionage operation, identified as CL-STA-1087, has systematically targeted military networks across Southeast Asia since 2020. This operation is believed to be associated with a threat entity linked to China, focusing less on mass data theft and more on acquiring strategic intelligence.
Operation Tactics and Initial Exposure
The campaign’s stealth was compromised when endpoint security systems detected unusual PowerShell activities within a military network. Investigations revealed the attackers had already established a presence, employing scripts that communicated with multiple command-and-control servers. These scripts were intentionally programmed to pause for six hours between actions to elude detection tools.
PolySwarm analysts identified a key component of the operation, the AppleChris backdoor, confirming its role in the espionage activities. After a brief period of dormancy, the attackers resumed operations, using sophisticated tactics to infiltrate deeper into the network through lateral movement.
Tools and Techniques of the Attackers
Palo Alto’s Unit 42 provided further insights into the campaign’s complexity. The attackers employed three principal tools: AppleChris, MemFun, and a modified version of the credential-stealing tool Mimikatz, known as Getpass. The operation’s timing and infrastructure suggested a strong connection to China, as evidenced by their use of China-based cloud services and Simplified Chinese language elements.
To maintain a persistent presence, the attackers created new Windows services and executed DLL hijacking, cleverly disguising their operations within legitimate system processes.
Backdoor Mechanisms and Credential Theft
The AppleChris backdoor utilized a Dead Drop Resolver technique, retrieving encrypted server addresses from services like Pastebin or Dropbox, making detection difficult. MemFun, another backdoor, operated entirely in memory, further complicating detection efforts. Its infection process began with a disguised file named GoogleUpdate.exe, launching an in-memory downloader.
Getpass specialized in extracting sensitive credentials by accessing the lsass.exe process. Unlike typical Mimikatz uses, this variant operated silently, storing collected data in a file mimicking a legitimate Windows system file.
Military organizations are advised to enhance monitoring of PowerShell and WMI activities and implement stringent controls on DLL usage and LSASS access to mitigate such threats.
For continuous updates on cybersecurity news, follow us on Google News, LinkedIn, and X.
