Several Chinese APTs Have Been Targeting Telecommunications of Asian Country Since 2021
20 June 2024 at 11:44
Researchers have discovered that various threat actors groups associated with Chinese state-linked espionage have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021.
The attackers relied on custom malware and tactics tied to several China-linked espionage groups, suggesting Chinese state sponsorship.
Malware Variants Used in Chinese Espionage Campaign
Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:- Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
- Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
- Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.