Google’s Threat Intelligence Group (GTIG) uncovered a sophisticated cyber-espionage campaign by APT24, primarily targeting organizations in Taiwan through the BADAUDIO downloader. The campaign spans over three years and involves complex delivery methods including web compromises, supply chain attacks, and spear-phishing, demonstrating high-level technical obfuscation and strategic planning. #APT24 #BADAUDIO
Keypoints
- APT24 conducts a long-running cyber-espionage campaign primarily in Taiwan since 2022.
- BADAUDIO is a heavily obfuscated C++ first-stage downloader, capable of downloading and executing encrypted payloads like Cobalt Strike Beacon.
- The malware uses control flow flattening to impede reverse engineering efforts significantly.
- Delivery includes web compromises, supply chain attacks on Taiwanese firms, and targeted spear-phishing campaigns.
- Attackers also abused cloud platforms such as Google Drive and OneDrive for malware distribution.