- As part of the campaign, the attackers are exploiting internet-facing applications for initial access and deploying various tools to escalate privileges, execute code, and gain remote access.
- Since May, they have been found exploiting a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik UI for ASAP.NET AJAX to execute malicious DLL code remotely on targeted servers
- The DLL then initiates a sequence of steps that causes the deployment of an array of tools on websites.
- These tools are hosted on an attacker-controlled HTTP File Server and include downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons.
- In the final stage, the user information such as billing and credit card details is exfiltrated using Cloudflare.
- The threat actor responsible for the campaign remains unknown. However, based on the GitHub repository used in the campaign and the Chinese code in PowerShell RAT, researchers believe it to be the work of a Chinese hacker group.
- Moreover, the attacker’s C2 server is located in Asia, indicating that the threat actor lives or operates in Asia.
The campaign initially targeted the APAC region, however, it has included Canada and the U.S. since October 2022, indicating that they are actively seeking to expand their attacks to North America. The campaign primarily targets online businesses or PoS providers, especially organizations using web servers running ASP.NET and IIS.
The technical complexity of the operation hints this may be the work of an advanced or experienced actor. Given that the campaign is ongoing and continues to expand the victims’ geolocation, organizations must stay updated on the infrastructures and other exploitation tools used in the attack. For this, they can leverage IOCs provided by the BlackBerry Research & Intelligence Team.