High-Profile Organizations in Southeast Asia Hit by Targeted Cyberattacks
The Symantec Threat Hunter Team has uncovered a sophisticated cyber campaign targeting high-profile organizations in Southeast Asia. Among the victims are government ministries in two countries, an air traffic control organization, a telecommunications company, and a media outlet. These attacks, ongoing since at least October 2023, primarily aim to gather intelligence.
The attackers utilized a blend of open-source and “living-off-the-land” tools. Of particular note are tools linked to Chinese APT groups, including Earth Baku (aka APT41, Brass Typhoon). The campaign featured a wide array of tools, such as:
- Rakshasa: A proxy tool previously associated with Earth Baku, designed for multi-level proxying and internal network penetration.
- Impacket: A Python-based framework for network protocol manipulation, heavily used for remote command execution.
- FastReverseProxy (FRP): An open-source tool to expose local servers to the public internet.
- PlugX (Korplug): A remote access Trojan with modular capabilities, initially linked to Chinese state-backed groups like Budworm (APT27).
- Stowaway Proxy Tool: A multi-hop proxy tool enabling network traffic to bypass internal access restrictions.
The attackers also exploited legitimate applications for DLL sideloading, including Bitdefender’s Crash Handler from 2011. “Living-off-the-land” techniques like using PowerShell, Windows Management Instrumentation (WMI), and registry edits were heavily leveraged to avoid detection.
In one of the documented attacks, beginning in May 2024, attackers infiltrated a targeted organization’s network, executing commands via WMI and bypassing user account control (UAC). By planting keyloggers, reverse proxies, and tools like Rakshasa, they maintained a foothold for months.
For exfiltration, attackers compressed files with WinRAR into password-protected archives before uploading them to cloud storage services like File.io. Symantec noted, “This extended dwell time and calculated approach underscore the sophistication and persistence of the threat actors.”
While specific attribution remains elusive due to overlapping tactics, techniques, and procedures (TTPs), multiple indicators suggest a connection to China-based APT groups. These include the use of tools historically linked to Fireant (APT31), Earth Baku, and Budworm. However, as Symantec observed, “Due to many of these groups frequently sharing tools and using similar TTPs, specific attribution in this case is not possible.”
