A Chinese-speaking cyber threat actor, tracked as CL-UNK-1068, has been conducting stealthy cyberespionage attacks against critical infrastructure sectors across Asia since at least 2020. The group targets aviation, energy, government, and telecommunications organizations, using a mix of custom malware, open-source tools, and living-off-the-land techniques on both Windows and Linux systems. Its primary goals are credential theft and sensitive data exfiltration, with initial access gained through web server exploits. While strongly suggesting an espionage motive linked to China, researchers have not yet definitively identified the actor.
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years
An undefined Chinese-speaking actor wields a combo of custom malware, open source tools, and LOTL binaries against Windows and Linux, likely for spying.
A Chinese-speaking threat actor has been pummeling various critical-infrastructure sectors across Asia with cyberespionage attacks for years, using a combination of custom malware, open source tools, and living-off-the-land binaries across both Windows and Linux environments.
The threat cluster, tracked as CL-UNK-1068, has been targeting aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications organizations across South, Southeast, and East Asia since at least 2020, according to a recent report by Palo Alto Networks' Unit 42.
"Using primarily open source tools, community-shared malware, and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations," Unit 42's Tom Fakterman wrote in the post.
Attackers gain initial access via exploitation of Web servers and the deployment of various Web shells, including the GodZilla Web shell, and a variation of AntSword. After gaining an initial foothold, the attackers use these shells to move laterally to additional hosts and SQL servers.
The ultimate goal of the attacks is both credential theft and the exfiltration of sensitive data by the as-yet undetermined actor, who Unit 42 believes is linked to China based on their use of language, the origin of their tools, and "their consistent, long-standing targeting of critical infrastructure in Asia," Fakterman noted.
Cross-Platform Cyberattack Capabilities
In its attack methodology, the actor demonstrates a versatility in how it operates across both Windows and Linux environments, "using different versions of their tool set for each operating system," according to Unit 42.
"While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intention," Fakterman added.
Once the actor compromises a system, they conduct reconnaissance and privilege escalation using a combination of various tools, including using the aforementioned Web shells for lateral movement.
CL-UNK-1068 then conducts credential theft using tools such as Mimikatz, which dumps passwords from memory, and LsaRecorder, which also captures passwords, according to the report. The actor also deploys DumpIt, a free multiplatform forensics tool, in combination with the widely known Volatility Framework to extract password hashes from memory.
Another tool in CL-UNK-1068's arsenal is a custom Go-based network scanning tool named ScanPortPlus, for which it has developed both Linux and Windows versions, according to the report.
To maintain persistence and evade detection, the actor relies heavily on various stealth techniques, including DLL side-loading through legitimate Python executables. This allows malicious payloads to execute under trusted processes, Fakterman explained.
Further, to maintain command-and-control (C2) access and bypass network controls, the actor also deploys modified builds of Fast Reverse Proxy (FRP) and occasionally installs the Xnote Linux backdoor.
How to Defend Against the Chinese Cyber Threat
Though Unit 42 has not made a definitive identification of the threat actor, some of its targeting and stealth activities are reminiscent of formidable Chinese threat actor Salt Typhoon, which infamously and persistently targeted at least nine US telecommunications companies without detection long enough to eavesdrop on US law-enforcement wiretaps and presidential campaigns.
Indeed, China has numerous state-sponsored actors conducting espionage and financially motivated campaigns on its behalf. Just last week researchers from Check Point unveiled a newly documented spinoff of APT41 dubbed "Silver Dragon," which also was targeting Asia in a lengthy campaign.
To ward off these advanced persistent threats, Unit 42 recommends that defenders pay attention to the "behavioral anomalies" associated with each group. To help them do this, there is a lengthy list of indicators of compromise (IoCs) included in the report.
In the case of CL-UNK-1068, some key signs that organizations should aim to spot in their detections include: misuse of legitimate Python binaries for side-loading; deployment of unauthorized tunneling tools like FRP; and execution of custom reconnaissance batch scripts.
Security teams also should look for evidence of credential-dumping tools like Mimikatz; inspect unusual RAR compression and Base64 encoding activity; harden Internet-facing Web servers; and monitor for Web shell deployments, Fakterman said.
Read more about:
DR Global Asia Pacific
Meridiano
