According to the new report, the Sygnia reaction firm, which deals with the main telecommunications company located in Asia, was allegedly broken by hackers funded by the Chinese state, which spent more than four years in its systems.
Cybersecurity Company monitors activity called Weavers are antsDescribing the actor the threat as a hidden and very stable. The name of the telecommunications provider was not revealed.
“Using web -Obolonki and tunneling, the attackers supported perseverance and promoted cyber -spying,” Signia – Note. “The group behind this invasion (…) is aimed at obtaining and maintaining constant access to telecommunications providers and ease the cyber -spying, collecting secret information.”
It is said that the attack chain was used by the operation of the application, which goes to the public to give up two different shells, an encrypted version of the Chinese chopper and previously an unregistered malicious tool called Inmemory. Worth noting that China Chopper was used multiple Chinese hacking groups In the past.
As the name implies, Inmemory is designed for decoding the string coded Base64 and fully in memory, without writing it on the disk, thus leaving no forensic trail.
The “Intererum” web -Bolona executed Code C#contained in a portable executable (PE) called “Eval.dll”, which eventually manages the useful load set at HTTP’s request, “Signia said.
Has been discovered Elephant.
Moreover, an encrypted traffic passing through the Web Shell tunnel serves to perform a number of action after operation, including –
- Correction of Event for Seeing for Windows (ETW) and Antimal scanning interface
- Using System.Management.automation.dll to perform PowerShell teams without initiating PowerShell.exe, and
- Fulfillment commands vs. compromised Active Director environment
Signia said the exhibitions of Wiver ants exhibiting signs usually related to the China-NEXUS cyber group due to models of targeting and “well-defined” targets.
This also indicates the availability of the China Chopper Web network, the use of the operating relay (Orb) consisting Based on perspective back Previously, he attributed an emissar pond.
“Throughout this period, Weaver ONT has adapted its TTPS to the developing network environment using innovative methods to restore and support them,” the company said. “Modus Operandi Chinese-NEXUSIUS, usually involves the sharing of tools, infrastructure, and sometimes labor, through common contractors.”
China identifies 4 Taiwan hackers who are allegedly behind the espionage
The disclosure of information takes place a few days after China’s State Security Ministry (MSS) accused Four persons are supposed to be associated with Taiwan’s military for cyber -mate. Taiwan has disprove allegations.
MSS stated that four persons are members of information, communications, communications, and Taiwan (Icefcom), and that the economic entity is involved in phishing attacks, propaganda electronic letters aimed at government and military agencies, as well as misinformation companies.
Supposedly Ant Web Shell, Iyscorpion, Metasploit and Quasar Rat.
“Information, communication and electronic force” specifically hired hackers and cybersecurity companies as external support for cyber -war, the Democratic Progressive Party (DPP) by the authorities, “the statement said.
Coincides with MSS statement, Chinese cybersecurity firms Qianxin and Anti Detailed Did-Fishing attacks organized by the Taiwanese threatening actor, codan of the specified APT-Q-20 (AKA APT-C-01, Greenspot, Poison Cloud Vine and White Dolphin), leading to C ++ Trojan delivery and command and control (C2).
Other initial access methods entails the operation of N-Day security and weak passwords on the Internet, such as routers, cameras and firewalls, added Qianxin, characterizing the activity of the actor threats as “not particularly intelligent”.
