Threat Research

Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks – CSIRT-CTI

Securonix

Stately Taurus is tied to two campaigns targeting Myanmar’s Ministry of Defence and Foreign Affairs amid rebel attacks by the 3BHA. The campaigns reuse DLL side-loading with legitimate software, persistence via an autorun registry key, RC4-encrypted C2 traffic, and traffic masquerading as Microsoft updates.
#StatelyTaurus #3BHA

Keypoints

  • Two campaigns attributed to Stately Taurus appear to target Myanmar’s MoD and Foreign Affairs amid Three Brotherhood Alliance (3BHA) activity.
  • Campaign #1 uses a decoy benign binary paired with a malicious DLL loaded via DLL search order hijacking and establishes persistence via a registry Run key named gameestrto.
  • Campaign #2 (ASEAN Notes.iso) uses LNK files to launch a Microsoft-signed binary, then performs DLL side-loading (GetCurrentDeploy.dll) with similar persistence and C2 practices as Campaign 1.
  • Both campaigns use a stager that communicates with a C2 server using an RC4-encrypted protocol and attempts to disguise traffic as Microsoft update requests.
  • Publicly documented indicators include specific DLLs, LNKs, and a set of C2 infrastructure details (IP addresses, domain, and a certificate CN) linking the campaigns to Stately Taurus.
  • Infrastructural details tie the operations to a common CN (WIN-9JJA076EVSS) and Malaysian hosting, consistent with prior Stately Taurus activity observed by other researchers.

MITRE Techniques

  • [T1574.001] DLL search order hijacking – leverages “DLL Search Order Hijacking” to side-load the malicious DLL. “the threat actor leverages DLL Search Order Hijacking to side-load the malicious DLL”
  • [T1547.001] Registry Run Keys/Startup Folder – creates a persistent autorun entry and uses a CLI argument to control execution. “autorun key is created with the name gameestrto”
  • [T1140] Deobfuscation/Decode Files or Information – RC4-encrypted payloads decrypted to second-stage malware. “RC4 encrypted”
  • [T1036] Masquerading – disguises network traffic as Microsoft update traffic. “disguise network traffic by making it appear to be related to Microsoft update traffic”

Indicators of Compromise

  • [File/Archive] context – Analysis of the third meeting of NDSC.zip, ASEAN Notes.iso, and related LNK sets (e.g., ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk)
  • [Hash] context – b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18, ce4f7e7ce82a5621b5409ccb633e27269a05ce17d1b049feda9fbc4793e6c484
  • [File] office.exe – legitimate binary signed by Microsoft and used in campaigns
  • [File] GetCurrentDeploy.dll – DLL used in DLL side-loading in Campaign #2
  • [C2 IP] 123.253.32.15, 103.159.132.80, 37.120.222.19
  • [C2 Domain] openservername.com
  • [Certificate CN] WIN-9JJA076EVSS
  • [Autorun key] gameestrto
  • [CLI argument] starmygame, StarWegameToyOU
  • [LNK files] ASEAN 2024.lnk, NS.lnk, MS.lnk, Mofa memo.lnk

Read more: https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint