Analysis of a Multi-Stage Cyber Attack Campaign Targeting Multiple Regions
In late 2023 and the first half of 2024, cybersecurity experts identified a sophisticated attack campaign that targeted numerous clients across various geographical locations. This malicious drive resulted in the deployment of a Cobalt Strike payload, which is notorious for facilitating further exploitative activities. The insights garnered from the attack attempts have led analysts to assess with medium confidence that a singular threat actor is behind these intrusions.
Distinct Traits of the Campaign
The campaign exhibited several remarkable characteristics. Initially, attempts were concentrated on targets in the Far East but then transitioned to Sweden, indicating a geographical shift intended to exploit varying security postures. Notably, the use of the Minhook DLL, an API hooking library meant for Windows, was utilized to redirect Windows API calls, demonstrating the attacker’s technical proficiency.
Another intriguing aspect was the clean loader, which was not included in the sideloading package. Instead, it was obtained directly from the compromised system, displaying an innovative approach that minimizes detection risks. Furthermore, attackers employed a compromised digital signature—albeit expired—for the malicious components. Ultimately, the payload resulted in the deployment of Cobalt Strike.
The investigation into this campaign, now viewed as a significant point of reference, revealed substantial learnings about the evolving tactics used by threat actors.
Initial Breaches in China and Taiwan
The first signs of this attack were detected among clients in China and Taiwan, where two separate sideloading incidents occurred within a single day at one customer. A subsequent investigation revealed a third incident at another location. An initial assessment indicated a possible connection between these incidences due to the use of identical file names for encrypted payloads, both of which featured Cobalt Strike as the payload. However, the absence of retained malicious files impeded further analysis.
In a retroactive examination, analysts noted similar incidents at several other customers in China and Taiwan, with the first evidential signs appearing on December 1, 2023. During this investigation, three distinct sideloading attempts were identified, each incorporating the same patterns that would reveal the complexity of the threat actor’s strategies.
MiracastView Sideloading Incident
One of these cases involved the Miracast wireless display service, where an outgoing Command and Control (C2) connection to a Cobalt Strike server was observed. The clean loader was located at:
appdata\\local\\microsoft\\windowsapps\\miracastview.exe
By contrast, the malicious loader was identified at:
appdata\\local\\microsoft\\windowsapps\\miracastview.dll
Other relevant payload files were also recognized. Notably, the C2 connection aligned with known Cobalt Strike servers, hinting at a well-coordinated plan by the attackers.
Despite the challenges in recovering malicious files from this incident, the analysis revealed a striking connection with other attacks, showcasing a systematic pattern of operation typical of experienced adversaries.
PrintDialog Sideloading
In another strand of investigations involving the payload file dsccorer.mui, telemetry pointed to sideloading activity originating from the legitimate LetsTalkApplication tool, curated by a Taiwan-based technology company. This further illustrated the creative methods the attackers used to disguise their activities.
SystemSettings Sideloading
Concurrently, another sideloading scenario was uncovered involving the SystemSettings application. In contrast to other instances, the malicious loader here was successfully recovered. This enabled analysts to examine the inner workings of the malware, which involved the decompression and execution of two payload files.
The Swedish Connection
Moving beyond Asia, investigators tapped into new samples that seemingly directed their focus toward Swedish victims. This particular sample was notable for being a digitally signed installer linked to a Korean online gaming entity, Gala Lab Corp. Although the signature had expired, it remained valid under specific circumstances, signifying advanced techniques employed by the attackers. The use of an expired yet valid signature raised questions regarding the attackers’ motivations, particularly their choice to use such an identity.
Conclusion and Reflection
Despite the extensive investigation, activity subsequently dropped off, posing challenges in ascertaining the overall efficacy of defenses. Observing the geographic shifts in targeting, especially from Asia to Europe, underscores the need for sustained vigilance and flexibility in cybersecurity strategies. This case emphasizes the importance of revisiting past incidents for critical insights that can inform future protective measures against evolving cyber threats.