Kaspersky ICS CERT discovered a campaign targeting industrial organisations in the Asia-Pacific region. The attackers used legitimate cloud services to manage malware and employed a complicated multi-stage malware delivery scheme using legitimate software to avoid detection. As a result, they could spread malware over victim organisations’ networks, install remote administration tools, manipulate devices, steal and delete confidential information.
The campaign targeted government agencies and industrial organisations in several countries and territories in the APAC region, including Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, and Vietnam. Zip archives with malware, disguised as tax-related documents, were delivered to victims in a phishing campaign via email and messengers (WeChat and Telegram). As a result of a complex multi-stage malware installation procedure, a backdoor, FatalRAT, was installed into the system.
While there were similarities to workflows observed in previous campaigns orchestrated by threat actors using open-source remote access Trojans (RATs) such as Gh0st RAT, SimayRAT, Zegost, and FatalRAT, this campaign demonstrated a notable shift in tactics, techniques, and procedures specifically tailored to Chinese-speaking targets.
The attack was carried out using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service. The attackers used a variety of methods to evade detection and blocking: dynamically changing control servers and malicious payloads, placing files on legitimate web resources, exploiting vulnerabilities in legitimate applications and using legitimate software capabilities to launch malware, packaging and encrypting files and network traffic.
Kaspersky called this attack campaign SalmonSlalom: the attackers challenged the cyberdefences like a salmon navigates the cascading water while travelling upstream, losing their strength in manoeuvring between sharp rocks.
“We repeatedly see threat actors using combinations of relatively simple attack methods and techniques nevertheless succeed in reaching out their targets even within the OT perimeter. This particular campaign serves as a warning to various industrial organisations in the APAC region, alerting them to the threat actors who demonstrate an ability to gain remote access to operational technology systems. Being aware of such potential threats enables these organisations to bolster their security measures and proactively respond to protect their assets and data from malicious actors,” comments Evgeny Goncharov, Head of Kaspersky ICS CERT.
Though not attributable to any known group, the consistent use of Chinese-language services and interfaces, combined with other technical evidence, suggests the likely involvement of a Chinese-speaking threat actor.
