“With moderate-high confidence, we conclude that (one cluster of) activity is linked to the Chinese cyberespionage group Stately Taurus,” Unit 42 said. “This attribution is underpinned by the utilization of distinctive, rare tools such as the ToneShell backdoor that have not been publicly documented in association with any other known threat actor.”
Additionally, the blog attributed Alloy Taurus “with a moderate level of confidence” for another cluster of multiwave intrusions capitalizing on vulnerabilities in Exchange Servers to deploy a large number of web shells.
The APTs conducted reconnaissance on the breached networks using different tools including the Chinese open source scanning framework LadonGo, IP scanner NBTScan, command-line tool ADFind, and Impacket. For credential stealing, the miscreants used credential harvesting tools such as Hdump, MimiKatz, and DCSync.
After the initial infection, the state actors attempted to install other tools and malware to maintain a foothold in the environment and establish persistence. The tools they used for this included penetration testing beacon Cobalt Strike, and Quasar remote access Trojan (RAT) malware. They also used SSH tunneling through command line action tools PuTTY Link and HTran.
Rare Backdooring by Gelesium APT
With a “moderate level of confidence,” Unit 42 attributed a third cluster to the Gelsemium group, not linked to any specific state, installing a rare combination of attacks.
“This assessment is based on the unique combination of malware that attackers used, namely the SessionManager IIS backdoor and OwlProxy,” Unit 42 said. “The cluster featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive servers belonging to a government entity in Southeast Asia.”