Diving into details
The Symantec Threat Hunter Team has spotlighted Grayling primarily because of its unique use of a DLL sideloading technique paired with a custom decryptor for payload deployment.
- Grayling’s modus operandi seems to revolve around exploiting public infrastructures for initial access.
- The attackers have been observed to deploy web shells on certain victim computers, even before the DLL sideloading took effect.
- Following this sideloading, a plethora of payloads such as Cobalt Strike, NetSpy, and the Havoc framework are loaded. Their operations post-gaining access encompass privilege escalation, network scans, and the employment of downloaders.
- Apart from the tools mentioned above, grayling’s arsenal incorporates the CVE-2019-0803 exploitation, Active Directory discovery, and Mimikatz.
Why this matters
- The industries targeted, namely manufacturing, IT, biomedical, and governmental agencies, are more likely to be subjected to intelligence-driven cyberattacks rather than financially motivated ones.
- By leveraging off-the-shelf tools, the attackers not only save on development time but also make attribution harder for cyber investigators. Their meticulous operations, such as process termination, further emphasize their intent to stay concealed.
The bottom line
While Grayling’s exact origin remains uncertain, the significant targeting of Taiwanese entities suggests its operation base might be in a region with vested strategic interests in Taiwan. For organizations aiming to defend against such threats, a keen eye on network anomalies and rigorous patch management, especially for known vulnerabilities like CVE-2019-0803, would be indispensable.