A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
A government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S., also appear to have been hit as part of this campaign. This activity began in February 2023 and continued until at least May 2023.
The Symantec Threat Hunter Team, part of Broadcom, has attributed this activity to a new group we are calling Grayling. This activity stood out due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads. The motivation driving this activity appears to be intelligence gathering.
There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines. Web shell deployment was observed on some victim computers prior to DLL sideloading activity taking place. DLL sideloading is used to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework.
The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.
Tactics, techniques, and procedures (TTPs) used by the attackers included:
- Havoc: An open-source post-exploitation command-and-control framework that attackers began using towards the start of 2023, seemingly as an alternative to Cobalt Strike and similar tools. Havoc is able to carry out a variety of activities including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode. Havoc is also notable for being cross-platform.
- Cobalt Strike: An off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files. It ostensibly has legitimate uses as a penetration-testing tool but is invariably exploited by malicious actors.
- NetSpy: A publicly available spyware tool.
- Exploitation of CVE-2019-0803: An elevation of privilege vulnerability that exists in Windows when the Win32k component fails to properly handle objects in memory.
- Active Directory discovery: Used to query Active Directory and help map the network.
- Mimikatz: Publicly available credential-dumping tool.
- Kill processes
- Unknown payload downloaded from imfsb.ini
The typical attack chain in this activity appears to be DLL sideloading through exported API SbieDll_Hook. This leads to the loading of various tools, including a Cobalt Strike Stager that leads to Cobalt Strike Beacon, the Havoc framework, and NetSpy. The attackers were also seen loading and decrypting an unknown payload from imfsb.ini. An exploit for CVE-2019-0803 was also used in the course of this activity, while shellcode was also downloaded and executed.
Other post-exploitation activity performed by these attackers includes using kill processes to kill all processes listed in a file called processlist.txt, and downloading the publicly available credential-dumping tool Mimikatz.
While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in – manufacturing, IT, biomedical, and government – are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons.
The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders. Tools like Havoc and Cobalt Strike are also frequently used by attackers due to their wide array of capabilities. It is often easier for even skilled attackers to use existing tools like this than to develop custom tools of their own with similar capabilities. The use of publicly available tools can also make attribution of activity more difficult for investigators. The steps taken by the attackers, such as killing processes etc., also indicate that keeping this activity hidden was a priority for them.
We have not been able to definitively link Grayling to a specific geography, but the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
da670d5acf3648b0deaecb64710ae2b7fc41fc6ae8ab8343a1415144490a9ae9 – Havoc framework
79b0e6cd366a15848742e26c3396e0b63338ead964710b6572a8582b0530db17 – Downloader
bf1665c949935f3a741cfe44ab2509ec3751b9384b9eda7fb31c12bfbb2a12ec – Downloader
c2a714831d8a7b0223631eda655ce62ff3c262d910c0a2ed67c5ca92ef4447e3 – Cobalt Strike Beacon
667624b10108137a889f0df8f408395ae332cc8d9ad550632a3501f6debc4f2c – Exploit for CVE-2019-0803
87a7e428d08ecc97201cc8f229877a6202545e562de231a7b4cab4d9b6bbc0f8 – Downloader
90de98fa17294d5c918865dfb1a799be80c8771df1dc0ec2be9d1c1b772d9cf0 – Loader
8b6c559cd145dca015f4fa06ef1c9cd2446662a1e62eb51ba2c86f4183231ed2 – Cobalt Strike Stager
d522bf1fb3b869887eaf54f6c0e52d90514d7635b3ff8a7fd2ce9f1d06449e2c – NetSpy
4fbe8b69f5c001d00bd39e4fdb3058c96ed796326d6e5e582610d67252d11aba – DLL file
9bad71077e322031c0cf7f541d64c3fed6b1dc7c261b0b994b63e56bc3215739 – NetSpy
f2aaedb17f96958c045f2911655bfe46f3db21a2de9b0d396936ef6e362fea1b – Downloader
525417bdd5cdd568605fdbd3dc153bcc20a4715635c02f4965a458c5d008eba9 – Downloader
23e5dfaf60c380837beaddaaa9eb550809cd995f2cda99e3fe4ca8b281d770ae – Downloader
6725e38cbb15698e957d50b8bc67bd66ece554bbf6bcb90e72eaf32b1d969e50 – Downloader
5ef2e36a53c681f6c64cfea16c2ca156cf468579cc96f6c527eca8024bfdc581 – Downloader 12924d7371310c49b1a215019621597926ef3c0b4649352e032a884750fab746 – Windump