High-profile organizations across South, Southeast, and East Asia are under threat as a Chinese cyber group orchestrates a prolonged campaign targeting critical sectors. According to Palo Alto Networks’ Unit 42, this group, referred to as CL-UNK-1068, has been focusing on industries like aviation, energy, government, and telecommunications, employing cyber espionage as a key tactic.
Unveiling the Threat Actor
The cluster of activities attributed to CL-UNK-1068 involves a sophisticated toolkit comprising custom malware and modified open-source utilities. Tom Fakterman from Unit 42 noted that these tools, designed for both Windows and Linux, enable attackers to sustain their foothold within victim environments. Notably, the group utilizes a combination of open-source tools and malware like Godzilla, ANTSWORD, Xnote, and Fast Reverse Proxy (FRP), previously associated with Chinese hacking groups.
Godzilla and ANTSWORD function as web shells, while Xnote serves as a Linux backdoor, used by Earth Berberoka in attacks on online gambling platforms since 2015. The attackers exploit web servers to deploy these tools, moving laterally to extract sensitive files, including credentials and configuration files, to identify vulnerabilities.
Technical Tactics and Data Exfiltration
CL-UNK-1068’s strategy involves harvesting various file types from targeted systems, such as browser history and database backups, and using WinRAR to archive them. By encoding the archives with Base64 and displaying them via web shells, the group exfiltrates data without direct file uploads. This method exploits the ability to run commands and view outputs on compromised hosts.
The adversary also employs legitimate Python executables for DLL side-loading attacks, facilitating the stealthy execution of malicious DLLs. Tools like PrintSpoofer and a Go-based scanner named ScanPortPlus are integral to maintaining persistent access and conducting reconnaissance. The group has shifted towards using batch scripts to gather host data and map environments.
Implications and Future Outlook
The diverse toolkit and operational flexibility of CL-UNK-1068 underline the persistent cyber threat to critical infrastructure in Asia. While the primary motive appears to be espionage, the possibility of cybercriminal intent cannot be entirely dismissed. The group’s ability to operate across different operating systems and utilize community-shared malware highlights the ongoing challenges faced by organizations in securing their networks.
As CL-UNK-1068 continues to evolve, the focus on protecting sensitive data and bolstering cybersecurity measures remains crucial for at-risk sectors. Organizations must stay vigilant and adapt to the ever-changing landscape of cyber threats to mitigate potential impacts.
