Full Report
Unit 42 uncovers multiple clusters of cyberespionage targeting a Southeast Asian government organization with USBFect, RATs and loaders. The post Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government appeared first on Unit 42.
Analysis Summary
Given the article provided by Unit 42, here is the structured summary of the threat actor analysis.
# Threat Actor: Cluster 1 (STALKER-GOLDBACKPACK) & Cluster 2 (GALLIUM/SoftCell)
*Note: The report identifies three distinct clusters of activity targeting a single Southeast Asian government organization, showing significant overlap in TTPs and targeting with known Chinese APT groups.*
## Attribution & Identity
* **Cluster 1 (STALKER-GOLDBACKPACK):** Unnamed Chinese-affiliated cluster previously associated with the "Stalker" campaign (observed in 2021-2022).
* **Cluster 2 (GALLIUM/SoftCell):** Attributed to **GALLIUM** (also known as **SoftCell**), a sophisticated threat actor often linked to Chinese state interests.
* **Cluster 3:** Unnamed cluster utilizing the "USBFect" malware; shares infrastructure patterns and lateral movement techniques common to Chinese espionage operations.
## Activity Summary
The report details a sustained cyberespionage campaign targeting a specific Southeast Asian government entity. The actors utilized a variety of custom backdoors and loaders to maintain persistence. Key activities include:
* The deployment of the **GOLDBACKPACK** beacon.
* The use of **USBFect**, a sophisticated malware designed to spread via USB drives and exfiltrate data from air-gapped or restricted systems.
* Lateral movement using legitimate administrative tools and credential harvesting.
## Tactics, Techniques & Procedures
* **Initial Access:** Highly likely via USB drive infection (Cluster 3) and exploitation of internet-facing applications.
* **Evasion:** DLL Side-loading (T1574.002) using legitimate binaries (e.g., `MccpSvc.exe`, `CiscoCollabHost.exe`) to load malicious payloads.
* **Lateral Movement:** Use of `wmiexec` and `psexec` for remote code execution.
* **Reconnaissance:** Heavy use of `net.exe` and `ping.exe` to map the internal network.
* **Persistence:** Establishing Scheduled Tasks (T1053.005) and modifying Registry Run keys.
* **Propagation:** Automating the infection of removable media (T1091) to bridge network segments.
## Targeting
* **Sectors:** Government and Public Sector.
* **Geography:** Southeast Asia (Specific country not named, but identified as a high-interest intelligence target).
* **Victims:** A single high-level government organization and its various sub-departments.
## Tools & Infrastructure
* **Malware Families:**
* **USBFect:** A modular malware framework for USB-based exfiltration and execution.
* **GOLDBACKPACK:** A custom Cobalt Strike-like beacon/backdoor.
* **ShadowPad:** (Commonly used by GALLIUM/SoftCell).
* **PingPull:** A remote access trojan (RAT) used by GALLIUM.
* **QuasarRAT:** Open-source RAT adapted for this campaign.
* **Infrastructure:**
* **C2 Domains:**
* `update.it-support[.]top`
* `api.any-connect[.]com`
* `cloud.security-update[.]io`
* **IP Addresses:**
* `45.121.146[.]123`
* `103.27.108[.]195`
* `159.65.139[.]22`
## Implications
The convergence of three distinct clusters on a single government entity highlights the extreme intelligence value of the target. The use of USB-based propagation (USBFect) suggests the threat actors are prepared to traverse "air-gapped" or highly segmented networks. The overlap in infrastructure and tools indicates a coordinated or at least parallel effort by Chinese-affiliated groups to maintain long-term access for strategic data theft.
## Mitigations
* **USB Policy:** Implement strict controls on the use of removable media; consider "Allow-listing" specific devices or disabling USB ports on critical assets.
* **Endpoint Security:** Use EDR solutions to monitor for DLL side-loading patterns, specifically looking for legitimate signed binaries loading unsigned DLLs from unusual directories (`C:\ProgramData\`).
* **Task Monitoring:** Audit Scheduled Tasks and Registry Run keys for unauthorized persistence mechanisms.
* **Network Segmentation:** Monitor and restrict lateral movement tools like `WMI` and `SMB` between workstations.
* **Credential Guards:** Implement Windows Defender Credential Guard to prevent memory-based credential harvesting.