In this report the McAfee Advanced Threat Research( ATR) Strategic Intelligence team items an espionage expedition, targeting telecommunication companionships, dubbed Operation Dianxun.
In this attack, we detected malware using same tricks, techniques and the measures( TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. While the initial vector for the illnes is not entirely clear, we feel with a medium rank of confidence that victims were lured to a orbit under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional uncovering and data collection. We conceive with a medium height of confidence that the attackers abused a phishing website masquerading as the Huawei company career page to target beings working in the telecommunications industry.
We detected malware that pretense as Flash applications, often connecting to the domain ” hxxp :// update.careerhuawei.net ” that was under control of the threat actor. The malevolent discipline was crafted to look like the legitimate busines area for Huawei, which has the domain: hxxp :// career.huawei.com. In December, we also observed a brand-new domain name used in this campaign: hxxp :// update.huaweiyuncdn.com.
Moreover, the sample posing as the Flash application utilized the malicious domain name ” flach.cn ” which was made to look like the official web page for China to download the Flash application, flash.cn. One of the main differences from past strikes is the lack of use of the PlugX backdoor. However, we did identify the use of a Cobalt Strike backdoor.
By using McAfee’s telemetry, possible targets based in Southeast Asia, Europe, and the US were discovered in the telecommunication sector. We also identified a strong interest in German, Vietnamese and India telecommunication corporations. Combined with the use of the hoax Huawei site, we conclude with a high level of confidence that this campaign was targeting the telecommunication sector. We belief with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese engineering in the world-wide 5G roll-out.
Activity linked to the Chinese group RedDelta, by peers in our manufacture, has been distinguished in the wild since early May 2020. Previous onrushes have been described targeting the Vatican and religious organizations.
In September 2020, the group continued its activity use decoy documents related to Catholicism, Tibet-Ladakh relations and the United People General Assembly Security Council, as well as other network intrusion tasks targeting the Myanmar government and two Hong kong residents universities. These assaults mainly used the PlugX backdoor abusing DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.
While external reports have given a new epithet to the working group which attacked the religious establishments, we imagine with a moderate level of confidence, based on the similarity of TTPs, that both criticizes can be attributed to one known threat performer: Mustang Panda.
Coverage and Protection
We believe the best way to protect yourself from this type of attack is to adopt a multi-layer approach including MVISION Insights, McAfee Web Gateway, MVISION UCE and MVISION EDR.
MVISION Insights can play a key role in risk mitigation by proactively collecting intelligence on security threats and your exposure.
McAfee Web Gateway and MVISION UCE afford multi-layer web vector protection with URL Reputation check, SSL decryption, and malware emulation abilities for analyzing dangerous active Web content such as Flash and DotNet. MVISION UCE also includes the capabilities of Remote Browser Isolation, the only solution that can provide 100% protection during entanglement browsing.
McAfee Endpoint Security loping on the target endpoint protects against Operation Dianxun with an array of avoidance and perception proficiencies. ENS Threat Prevention and ATP supports both signature and behavioral analysis ability which proactively sees security threats. ENS too leverages Global Threat Intelligence which is updated with known IoCs. For DAT located observations, the family will be reported as Trojan-Cobalt, Trojan-FSYW, Trojan-FSYX, Trojan-FSZC and CobaltStr-FDWE.
As the last phase of the attack involves creating a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon, the obstruct facets that can be activated on a Next Generation Intrusion Prevention System solution such as McAfee NSP are important, NSP includes a Callback Detection engine and is able to detect and block anomalies in communication signals with C2 Servers.
MVISION EDR can proactively relate persistence and defense deception techniques. You can also use MVISION EDR to scour the indicators of jeopardize in Real-Time or Historically( up to 90 periods) across endeavour systems.
Learn more about Operation Dianxun, including Yara& Mitre ATT& CK skills, by learning our technical analysis and Defender blog.
Summary of the Threat
We assess with a high level of confidence that 😛 TAGEND
Recent onrushes applying TTPs same to those of the Chinese radicals RedDelta and Mustang Panda have been discovered. Multiple overlaps including tooling, system and operating methods indicate strong similarities between Chinese groups RedDelta and Mustang Panda. The targets are mainly telecommunication firms based in Southeast Asia, Europe, and the US. We also identified a strong interest in German and Vietnamese telecommunication firms.
We assess with a moderate level of confidence that 😛 TAGEND
We believe that this espionage campaign is aimed at stealing sensitive or secret information in relation to 5G engineering.
PLEASE NOTE: We have no evidence that the technology company Huawei was deliberately involved in this Campaign.
McAfee Advanced Threat Research( ATR) is actively monitoring this menace and will update as its visibility into the threat increases.
The post Operation Dianxun: Cyberespionage Campaign Targeting Telecommunication Company seemed first on McAfee Blogs.
Read more: mcafee.com
Recent Comments