Persistent Threats from the East: Stately Taurus's Ongoing Campaigns Revealed

Category: Threat Actor Activity | Industry: Government | Source: Unit42

Government entities in Southeast Asia are targeted by various APT groups as reported by researchers from Unit42. One reported cluster of activity Unit42 tracks as CL-STA-0044, is attributed to the Chinese espionage, Stately Taurus (aka Mustang Panda, Earth Preta, BRONZE PRESIDENT, TA416, and RedDelta). The campaign is traced to have started during the second quarter of 2021 to the third quarter of 2023. The primary objective of this campaign was to gather sensitive documents and files from the compromised networks, focusing on individuals of interest within the government.

The threat actors group used various sophisticated techniques during the campaign. In the reconnaissance phase, they scanned infected environments for live hosts, open ports, and domain users and groups using tools like LadonGo, NBTScan, and AdFind. The attackers also attempted to steal credentials through techniques like Hdump, MimiKatz, DCSync, and by stealing the Ntds.dit file, which contains password hashes. The attackers abused existing antivirus software, such as ESET’s Remote Administrator Agent, to execute commands remotely and install backdoors. They maintained access to compromised environments through web shells, including an undocumented variant of the ToneShell backdoor, which was loaded into legitimate processes via DLL sideloading. Additionally, they used Cobalt Strike, ShadowPad, and China Chopper web shells to maintain control and troubleshoot issues with backdoors.

The campaign showed a high level of intelligence gathering, with the threat actors using tools like wevtutil to search for specific usernames, successful login attempts, and sensitive privileges. This intelligence allowed them to target specific individuals within the victim organization effectively. Exfiltration of sensitive information involved archiving files with rar.exe and even, creating a VBS script in the Startup folder to enable regular archive and exfiltration of desired data. Exfiltration methods include using various methods to upload the data, including cloud storage sites like 1fichier[.]com and legitimate services like Dropbox.

Unit42 attributed this cyberespionage campaign to the Chinese APT group Stately Taurus with moderate-high confidence. The attribution was based on the unique tools used, such as the ToneShell backdoor, and the deployment of ShadowPad, a modular malware exclusively used by Chinese-sponsored threat actors. The victimology, targeting the government sector in Southeast Asia, further supported their attribution.