Evolving Playbooks in Targeted APT Attacks across Asia Pacific and Japan

Posted on by Vicky Ray

For the past few years, Asia Pacific and Japan have continued to be a regular target of cyber adversaries. At RSA Conference 2017 Asia Pacific & Japan in Singapore, some of the APT attack cases impacting the region were identified.

Key reasons for the Asia Pacific & Japan (APJ) to experience high number of targeted attacks include the region’s high economic growth and the decade-long ongoing territorial disputes. Some of the campaigns discussed highlight the unique TTP’s (Tactics, Techniques and Procedures) adversaries have been incorporating in their operations to target victims, which have since evolved due to increasing sophistications of the cybersecurity landscape.

The following summarizes some of the evolving playbooks of adversaries since early 2017:

1.     DragonOK Group updates toolset and targets multiple geographic regions in the APJ region

The DragonOK group has actively launched attacks for years. A new backdoor malware called ‘FormerFirstRAT’ surfaced back in 2015, which was used to target victims in Japan between January and March that year. The use of multiple new variants of the sysget malware along with ‘IsSpace’ and ‘Tidepool’ malware families were highlighted in 2017. Research showed that The DragonOK group constantly update their tools and tactics to make detection and analysis more difficult.

2.   Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations

Around the end of 2016, an adversary group used the ‘Trochilus RAT’ and a newly identified RAT ‘MoonWind’ to target organizations in Thailand, including a utility company. The attackers compromised two legitimate Thai websites to host the malware. The group is also known to target other Southeast Asian countries.

While campaigns using the ‘Trochilus RAT’ have been active since 2013, the discovery of the ‘MoonWind RAT’ indicates the evolving of the group’s playbook.

3.     The New and Improved macOS Backdoor from OceanLotus

The Ocean Lotus group largely targets organizations and individuals in Southeast Asia. A new version of the OceanLotus backdoor was discovered, one of the more advanced backdoors seen on macOS during the time of discovery. This variant targeted victims in Vietnam.

4.     SunOrcal Activity

Threat actors behind the SunOrcal malware have been known to target individuals from these groups: Uyghurs (particularly those supporting East Turkestan independence), Tibetans (particularly those supportive of Tibetan independence), Falun Gong practitioners, Supporters of Taiwan independence and Supporters of Chinese democracy. SunOrcal activity has been documented to as recent as 2013, and were found to be active since 2010. A new malware family named ‘Reaver’ has been discovered and linked to attackers who use ‘SunOrcal’ malware. In researching on the new ‘Reaver’ malware, a new variant of the SunOrcal malware family was uncovered. This activity has also been tied to the Surtr malware family, another tool used by these attackers. It is interesting to note the rollout out of the multiple variants of ‘Reaver’, along with an updated variant of a known family, coincides with new targets previously untargeted, including Vietnam and Myanmar.

5.     Comnie Continues to Target Organizations in East Asia

The group behind the Comnie malware family has largely focused their efforts at targeting organizations in the East Asia region. Notably, they leverage online blogs and third-party services to obtain C2 information. Recent instances of the malware were observed manifesting on github.com, tumbler.com, and blogspot.com. Analysis suggests that main targets of the threat actor likely included organizations in Telecommunication, Defense, Government, High Tech and Aerospace sectors, with recent attacks seen targeting Aerospace and Defense sectors in South Korea and Telecommunication sector in Taiwan. Historical attacks also identified appear to target the Taiwan government, an IT service vendor based in Asia and a journalist of a Tibetan radio station.

The above targeted APT campaigns are just some of the campaigns being actively tracked across the region.  These findings suggest that the adversary groups behind these targeted campaigns have been persistent in their attacks and have evolved their playbooks to include new tools and tactics to avoid being detected. The findings also suggest that the Asia Pacific & Japan region have been and will continue to experience large number of growing targeted attacks. It is imperative to understand the current playbooks of threat actors to better defend against such APT attack groups.

Vicky Ray

Principal Researcher, Palo Alto Networks

hackers & threats

More Related To This

Share With Your Community