Elusive APT Group ‘Gelsemium’ Emerges in Rare Southeast Asian Attack, Unveils Unique Tactics.
KEY FINDINGS
- Gelsemium APT Resurgence: The rarely seen APT group, Gelsemium, has reemerged in a sophisticated cyberattack targeting a Southeast Asian government entity.
- CL-STA-0046 Cluster: Palo Alto Networks’ Unit 42 uncovered a unique cluster of cyber activities, labeled CL-STA-0046, indicative of Gelsemium’s covert operations.
- Rare Tools and Techniques: Gelsemium leveraged a combination of rarely seen tools and tactics to infiltrate IIS servers, maintaining a clandestine presence for over six months in 2022-2023.
- Web Shells and Backdoors: The threat actor behind CL-STA-0046 employed various web shells and backdoors, including OwlProxy and SessionManager, previously linked to the group’s targeting of entities in Laos.
- Moderate Attribution Confidence: Unit 42 attributes CL-STA-0046 to the Gelsemium APT group with moderate confidence, shedding light on a threat entity that has remained elusive in the cybersecurity landscape.
Cybersecurity researchers at Palo Alto Network’s Unit 42 have shed light on the activities of an enigmatic APT group known as ‘Gelsemium.’ The group’s covert operations were discovered during an investigation into a Southeast Asian government’s compromised systems, labelled as ‘CL-STA-0046.’
Operating stealthily for over six months from 2022 to 2023, this clandestine cluster of attacks employed a series of rare tools and techniques, establishing a covert presence within sensitive IIS servers of a Southeast Asian government entity.
The main backdoors utilized by the threat actors were ‘OwlProxy’ and ‘SessionManager,’ an uncommon combination previously linked to targeting entities in Laos in 2020. The attribution of this activity to the Gelsemium APT group, albeit with moderate confidence, provides unprecedented insight into a threat entity that has remained elusive with only a handful of public reports to its name.
The Gelsemium APT group, operational since 2014, has gained notoriety for its diverse targeting, encompassing governments, universities, electronics manufacturers, and religious organizations, predominantly in East Asia and the Middle East. However, details about its tactics, techniques, and procedures (TTPs) have been scarce until now.
Unit 42’s analysis not only delves deep into the tools and strategies employed by this mysterious APT group but also offers a comprehensive timeline of observed operations, presenting a valuable repository of indicators for potential defenders.
Palo Alto Networks customers benefit from advanced threat protection against the identified threats through various security solutions, underscoring the importance of a robust cybersecurity posture in today’s threat landscape.
The threat actor responsible for CL-STA-0046 initiated their intrusion by deploying web shells on a compromised server. These web shells included ‘reGeorg,’ ‘China Chopper,’ and ‘AspxSpy,’ with one of the AspxSpy web shells previously linked to Iron Taurus (aka APT 27). However, this particular web shell’s public availability disqualifies it from attribution considerations.
The attackers proceeded to conduct lateral movement through SMB and performed reconnaissance commands, extracting crucial information about their target. Some instances involved the delivery of additional tools, such as ‘demo.exe,’ alongside attempts at privilege escalation using the ‘Potato Suite’ (JuicyPotato, BadPotato, and SweetPotato).
To secure their foothold, the attackers downloaded a series of tools, including ‘OwlProxy,’ ‘SessionManager,’ ‘Cobalt Strike,’ ‘SpoolFool,’ and ‘EarthWorm.’ These tools, some rarely seen in previous attacks, signify a sophisticated approach to intrusion.
‘SessionManager,’ a custom backdoor employed by the Gelsemium APT group, allows for remote command execution and file manipulation on web servers, all while utilizing the server as a proxy for communication with other network systems. This particular backdoor was previously documented in government, military, and industrial compromises.
‘OwlProxy,’ another unique tool, acts as an HTTP proxy with backdoor capabilities. Although first discovered in 2020 in an attack against the Taiwanese government attributed to Gelsemium, this variant of OwlProxy exhibits custom features that expand the actor’s proxy capabilities.
The attackers attempted to execute ‘Artifactd.exe,’ a Cobalt Strike beacon, and ‘EarthWorm,’ a SOCKS tunneler. These tools aimed to facilitate communication with their command and control servers.
Additionally, ‘SpoolFool,’ a local privilege escalation (LPE) proof of concept (PoC), was employed to exploit CVE-2022-21999 (Windows Print Spooler Elevation of Privilege Vulnerability) to create a local administrator user.
Unit 42’s attribution of CL-STA-0046 activities to the Gelsemium APT group is supported by the unique combination of tools, particularly ‘SessionManager’ and ‘OwlProxy.’ This combination has only been publicly associated with the Gelsemium APT group. The victimology aligns with Gelsemium’s past targets in Southeast Asia.
The emergence of the Gelsemium APT group in a rare Southeast Asian attack underscores the need for heightened security measures, continuous monitoring, and proactive threat intelligence sharing among government bodies and affected industries in the region.
By adopting a multilayered defence approach and staying informed about evolving threats, organizations can fortify their cybersecurity against persistent adversaries like Gelsemium.