The Siege of Southeast Asia's Government Sector with Alloy Taurus

Category: Threat Actor Activity | Industries: Government & Telecommunications | Source: Unit42

Tracking clusters of cyber activity against government entities in Southeast Asia by researchers from Unit42. A cluster tracked as CL-STA-0045 is assessed to be attributed to the Chinese cyberespionage group, Alloy Taurus also referred to as Gallium, with moderate confidence. This ongoing cyber campaign began in early 2022, targeting government entities in Southeast Asia, and is characterized as “multiwave intrusions” with a penchant for exploitation of vulnerabilities in Exchange Servers. The threat actors employ a range of tools and techniques in their operations. Unit42 suspects the "main goal behind the activity was to facilitate long-term espionage operations."

The attack begins with the threat actors gaining access to the target network and installing web shells, including China Chopper, on internet-facing web servers. These web shells allow the attackers to initiate system and network reconnaissance on the compromised host and also create administrative accounts. Subsequently, the attackers attempt to execute undocumented .NET backdoors named Reshell and Zapoa, which provide them with remote command execution capabilities.

To maintain access and evade detection, the attackers install SoftEther VPN software, renaming it to blend in with legitimate files. They also connect to external hosts, including GitHub, and download additional tools such as Kerbrute and LsassUnhooker. The attackers make efforts to steal credentials through various means, including brute force attacks, password theft, and NTLM downgrade attacks. The threat actors target critical assets within the network, particularly web servers and domain controllers, using tools like AnyDesk and SSH tunneling. They attempt to install additional tools and malware, such as Cobalt Strike, Gh0stCringe RAT, HDoor, and a variant of Winnti malware.