A previously unknown advanced persistent threat (APT) actor has been targeting Taiwanese organizations across multiple sectors, Broadcom’s Symantec cybersecurity unit reports.
As part of a campaign running between February and May 2023, the APT group, which Symantec tracks as Grayling, also targeted a government entity in the Asia-Pacific region, as well as organizations in the US and Vietnam, likely for intelligence gathering.
Symantec could not definitively link Grayling to a specific geography, but noted that “the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.” This typically indicates that the threat actor may be linked to China.
The observed attacks likely exploited web-facing assets for initial access and employed a distinctive DLL sideloading technique to deploy both custom malware and publicly available tools. On some machines, the threat actor deployed web shells prior to executing additional payloads.
Some of the observed tools included Havoc (post-exploitation command-and-control framework), Cobalt Strike, NetSpy (publicly available spyware), Mimikatz (credential dumping), various downloaders, and an unknown payload.
Additionally, the threat actor was seen exploiting CVE-2019-0803, a privilege escalation bug in Windows that is triggered when “the Win32k component fails to properly handle objects in memory,” killing processes, and performing Active Directory discovery.
Following initial access to a victim’s environment, Grayling performed DLL sideloading through an exported API SbieDll_Hook to execute various post-exploitation tools.
The use of both custom and publicly available tools is characteristic to most APTs lately, as it allows them to bypass protections, stay undetected, and prevent attribution. Furthermore, Symantec points out, it is easier for attackers to use readily available tools instead of developing their own with similar features.
Grayling, Symantec also notes, was clearly interested in staying hidden, given the killing of processes to prevent detection, and was likely looking to gather intelligence from the compromised networks.
“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in – manufacturing, IT, biomedical, and government – are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” Symantec notes.