Full Report
A suspected China-based threat actor has been linked to a series of cyber attacks targeting high-profile organizations in Southeast Asia since at least October 2023. The espionage campaign targeted organizations in various sectors spanning government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet, the Symantec Threat Hunter Team
Analysis Summary
# Threat Actor: Suspected China-Based APT Group
## Attribution & Identity
* **Attribution:** Suspected China-based Advanced Persistent Threat (APT) actors.
* **Aliases/Known Associations:** Tools leveraged are linked to China-based APT groups.
## Activity Summary
A series of cyber espionage attacks targeting high-profile organizations in Southeast Asia, active since at least October 2023. The campaign involved maintaining extended covert access to conduct reconnaissance and harvest credentials over prolonged periods (e.g., one engagement lasted three months: June to August 2024). Activities included password dumping and network mapping.
## Tactics, Techniques & Procedures
- Use of open-source and Living-off-the-Land (LotL) techniques.
- Deployment of reverse proxy programs (Rakshasa, Stowaway).
- Use of asset discovery and identification tools.
- Installation of keyloggers and password stealers.
- Deployment of the PlugX (Korplug) Remote Access Trojan (RAT).
- Installation of customized DLL files acting as authentication mechanism filters to intercept login credentials.
- Data exfiltration involved compressing harvested data into password-protected archives using WinRAR before uploading to cloud storage services.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text, but keylogging/password dumping suggest credential access (T1003/T1056) and LotL usage (T1218/T1021).
## Targeting
- **Sectors:** Government ministries (in two different countries), an air traffic control organization, a telecoms company, and a media outlet.
- **Geography:** Southeast Asia.
- **Victims:** Not specifically named, but identified based on the sectors mentioned above.
## Tools & Infrastructure
- **Malware families used:**
* PlugX (aka Korplug) RAT
* Keyloggers
* Password Stealers
* Customized DLL files (for credential filtering)
- **Infrastructure (C2, domains, IPs):**
* Cloud storage services (e.g., File.io) were used for exfiltration staging.
* Reverse Proxies: Rakshasa, Stowaway.
## Implications
The activity suggests a highly sophisticated and persistent espionage operation aimed at strategic intelligence gathering within high-value sectors in Southeast Asia. The extended dwell time indicates a capability to evade detection even after initial network penetration.
## Mitigations
- Monitor for the deployment and execution of known malware like PlugX.
- Implement stringent controls or monitoring around LotL execution paths.
- Monitor for suspicious network traffic indicative of reverse proxy beaconing.
- Audit and secure authentication mechanisms, paying close attention to unauthorized DLL loading or credential interception attempts.
- Implement robust network segmentation and monitor for long-term lateral movement or network mapping.