Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Trend Micro Spots Possible iSoon Campaign
Victims Include at Least 70 Organizations Across 23 CountriesSecurity researchers say they've spotted a hacking campaign with a strong focus in Southeast Asia that could be the work of Chinese state hacking contractor iSoon, the company whose February internal data leak threw a spotlight on a network of private sector companies hacking on behalf of Beijing.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The campaign, active since early 2022, shows multiple indicators of a Chinese nexus, said Trend Micro. Attackers downloaded malware used during the lateral movement stage of the campaign from IP addresses the company previously attributed to a China-nexus group it tracks as Earth Lusca. The firm also saw overlaps in the command-and-control infrastructure, as well as domain names used by Earth Lusca.
But the initial-stage backdoors are different from those used by Earth Lusca, leading Trend Micro to call this campaign the work of a separate group it dubbed Earth Krahang. Previous work by Trend Micro already linked Earth Lusca to iSoon, leading the company to take a closer look at the leaked repository of spreadsheets, chat logs and marketing materials that evidently originated from Shanghai-based iSoon (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).
"Using this leaked information, we found that the company organized their penetration team into two different subgroups. This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company," Trend Micro said.
The iSoon leak - posted with no explanation on a now-disabled GitHub repository - highlights a burgeoning corporate hacker-for-hire scene centered in the Sichuan region of China. Multiple experts told Information Security Media Group the documents appeared to be legitimate. The leaked records show that the company, also known as Anxun Information Technology, mainly takes hacking assignments from the Ministry of Public Security, and the contracts are pegged to domestic security interests that require hacking into Asian organizations.
Trend Micro said the Earth Krahang campaign affected at least 70 different victims spread out across 23 countries, including confirmed breaches in Thailand, Indonesia, Malaysia, the Philippines and South Korea.
Because researchers were able to access the threat actors' hackers - including log files - they identified additional possible victims, including some within the United States and most of South America.
Government organizations are the threat actor's primary target, but it also targeted the education and communications sectors.
One way it spreads malware is using a compromised mailbox in a government agency to send spear-phishing emails to other officials, often using legitimate-sounding subjects such as "Ministry of Defense Circular." It also hosts malware on compromised government web servers, making victims more inclined to click on the links in phishing emails, since they lead to an apparently benign domain. The group likely uses brute-forcing tools to look for weak credentials.
"Earth Krahang abuses the trust between governments to conduct their attacks," Trend Micro said. "In one case, the actor used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity."
Earth Krahang uses various techniques to maintain persistence and extract sensitive information from the victim's environment, including tactics such as installing VPN servers on compromised servers, stealing credentials via tools such as Mimikatz, moving laterally through network scanning, and using known vulnerabilities to escalate privileges.
It maintains persistence by downloading Cobalt Strike and two custom backdoors, Reshell and XDealer, also known as DinodasRAT. Samples of the latter seem to show version increments over time, indicating that it has been used in the wild for some time and is still under active development.
The threat actor also took steps to prevent friendly scanning from detecting the presence of Cobalt Strike by deploying a proxy that hides Cobalt Strike command-and-control servers from scanners and search engine web crawlers.