Kaspersky ICS CERT discovered a campaign targeting industrial organizations in the Asia-Pacific region. The attackers used legitimate cloud services to manage malware and employed a complicated multi-stage malware delivery scheme using legitimate software to avoid detection. As a result, they could spread malware over victim organizations’ networks, install remote administration tools, manipulate devices, steal and delete confidential information.
The campaign targeted government agencies and industrial organizations in several countries and territories in the APAC region, including Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, and Vietnam. Zip archives with malware, disguised as tax-related documents, were delivered to victims in a phishing campaign via email and messengers (WeChat and Telegram). As a result of a complex multi-stage malware installation procedure, a backdoor, FatalRAT, was installed into the system.
While there were similarities to workflows observed in previous campaigns orchestrated by threat actors using open-source remote access Trojans (RATs) such as Gh0st RAT, SimayRAT, Zegost, and FatalRAT, this campaign demonstrated a notable shift in tactics, techniques, and procedures specifically tailored to Chinese-speaking targets.
The attack was carried out using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service. The attackers used a variety of methods to evade detection and blocking: dynamically changing control servers and malicious payloads, placing files on legitimate web resources, exploiting vulnerabilities in legitimate applications and using legitimate software capabilities to launch malware, packaging and encrypting files and network traffic.
Kaspersky called this attack campaign SalmonSlalom: the attackers challenged the cyberdefences like a salmon navigates the cascading water while travelling upstream, losing their strength in maneuvering between sharp rocks.
“We repeatedly see threat actors using combinations of relatively simple attack methods and techniques nevertheless succeed in reaching out their targets even within the OT perimeter. This particular campaign serves as a warning to various industrial organizations in the APAC region, alerting them to the threat actors who demonstrate an ability to gain remote access to operational technology systems. Being aware of such potential threats enables these organizations to bolster their security measures and proactively respond to protect their assets and data from malicious actors,” comments Evgeny Goncharov, Head of Kaspersky ICS CERT.
Though not attributable to any known group, the consistent use of Chinese-language services and interfaces, combined with other technical evidence, suggests the likely involvement of a Chinese-speaking threat actor.
We recommend taking the following measures to avoid falling victim to the attack described above:
- Enable two-factor authentication for logging in to administration consoles and web interfaces of security solutions.
- Install up-to-date versions of centrally managed security solutions on all systems and update antivirus databases and program modules on a regular basis.
- Check that all security solution components are enabled on all systems and that active policies prohibit disabling protection and terminating or removing solution components without entering the administrator password.
- Check that security solutions receive up-to-date threat information (for instance, from Kaspersky Security Network) for those groups of systems where the use of cloud security services is not prohibited by law or regulations.
- Update operating systems and applications to versions currently supported by the vendors. Install the latest security updates (patches) for operating systems and applications.
- Deploy a SIEM system, for example, Kaspersky Unified Monitoring and Analysis Platform.
- Utilize EDR/XDR/MDR solutions for establishing a baseline regarding the most commonly observed grandparent-parent-child process relationship in OT environments. This highly recommended advice stems from our observation that a legitimate function of the legitimate binary was exploited to execute the subsequent staged payload.