Arts & Culture
Arts and Culture
Awards
Beauty
Buisiness
busi
Business
Business Directory
Caharity
Charity
Climate
Competitions & Surveys
Construction
CoronaVirus
Cycling
Digital
DISENCHANTMENT
e
ed
Education
Eduction
Emergency
Employment
ener
Energy
Entertainment
Entertianment
Enviroment
Enviromental
Environment
Events
Experts
Fashion
Fashion & Beauty
food
Food & Drink
Football
Funny
Games
Gaming
Government
Health
Heath
Hospitality
Jobs
Kids
Law & Finance
Life
Link Building
LIVE
Members Area
Motoring
Motoring Technology
Music
North East News
Oets
Pets
Politics
Property
Recruitment
Retail
s
Social
Space
Sport
Sports
Techno
Technology
Tecnology
Tennis
Travel & Tourism
Uncategorised
Weather
In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. It is highly likely that these attacks were conducted by a Chinese cyber espionage actor related to the Operation Soft Cell campaign.
The initial attack phase involves infiltrating internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.
The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. SentinelLabs’ research details the multi-component architecture and functionality of a sample – referred to as mim221 – a recent version of an actively maintained credential theft capability upgraded with new anti-detection features.
The use of special-purpose modules that implement a range of advanced techniques shows the threat actors’ dedication to advancing its toolset towards maximum stealth.
Key points
- SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East in Q1 of 2023.
- This activity represents an evolution of tooling associated with Operation Soft Cell.
- While it is highly likely that the threat actor is a Chinese cyber espionage group in the nexus of Gallium and APT41, the exact grouping remains unclear.
- SentinelLabs observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly motivated threat actor with specific tasking requirements.
Conclusion
Chinese cyber espionage threat actors are known to have a strategic interest in the Middle East. This is evident from their consistent targeted attacks on various entities, including government, finance, entertainment, and telecommunication organisations. The recent activities targeting the telecommunication sector this report discusses, are some of the latest of such attacks.
SentinelLabs’ analysis of mim221 highlights the continuous maintenance and further development of the Chinese espionage malware arsenal. These threat actors will almost certainly continue exploring and upgrading their tools with new techniques for evading detection, including integrating and modifying publicly available code.
SentinelLabs continues to monitor espionage activities and it is hoped that defenders will leverage these findings to bolster their defences.
Please click here to see the full report.