Threat Research

ASEAN Entities in the Spotlight: Chinese APT Group Targeting

Unit42

Unit 42 identified two Chinese APTs conducting targeted cyberespionage against ASEAN-affiliated entities, including Stately Taurus deploying two malware packages that sideloaded malicious DLLs and established C2 channels. The activity includes DLL side-loading, autorun registry persistence, and C2 communications to multiple IPs/domains linked to PubLoad and other payloads. #StatelyTaurus #PubLoad

Keypoints

  • Unit 42 observed two Stately Taurus malware packages created March 4–5, 2024 timed with the ASEAN-Australia Special Summit.
  • Package 1 (Talking_Points_for_China.zip) used a signed KeyScrambler binary to sideload KeyScramblerIE.dll, deploy PubLoad shellcode, and contact 103.27.109[.]157:433.
  • Package 2 (Note PSO.scr) downloaded a benign-signed WindowsUpdate.exe (renamed EACoreServer) and a malicious EACore.dll from 123.253.32[.]71, then connected to 146.70.149[.]36/www.openservername[.]com for C2.
  • A second Chinese APT compromised an ASEAN-affiliated environment and communicated with known C2 infrastructure (multiple IPs and domains listed in Table 1).
  • Observed TTPs include DLL side-loading, use of signed legitimate binaries, autorun registry persistence, masquerading, HTTP-based C2, and data exfiltration over C2 channels.
  • Key IOCs include multiple malware hashes, delivery filenames, C2 IPs (e.g., 103.27.109[.]157, 123.253.32[.]71) and domains (e.g., www.openservername[.]com, ai.nerdnooks[.]com).

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Use of malicious archives and executables as delivery: (‘the use of malware packages like “Talking_Points_for_China.zip” and “Note PSO.scr” suggests the use of spearphishing attachments for initial access.’)
  • [T1059] Command and Scripting Interpreter – Execution of delivered binaries and screensaver payloads: (‘the execution of scripts such as “Talking_Points_for_China.exe” and the use of screensaver executables for initial infection indicate the use of command and scripting interpreters.’)
  • [T1574.002] DLL Side-Loading – Abuse of signed legitimate binaries to load malicious DLLs: (‘sideloads the malicious DLL KeyScramblerIE.dll’).
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via autorun registry entry pointing to the dropped DLL: (‘copies it to the directory C:UsersPublicLibrariesSmileTVKeyScramblerIE.dll with an autorun registry key of the same location established for persistence.’)
  • [T1036] Masquerading – Renaming legitimate executables to appear trustworthy and evade detection: (‘they do this to give it an appearance of a trustworthy program while, in the background, they’re sideloading their malicious DLL file’).
  • [T1071] Application Layer Protocol – C2 over HTTP/HTTPS to specific IPs/domains: (‘attempts to establish a connection to 103.27.109[.]157:433’ and ‘146.70.149[.]36 for command and control (C2)’).
  • [T1041] Exfiltration Over C2 Channel – Sending collected host/network information back to C2: (‘the sending of collected host-based information back to a C2 server indicates exfiltration over the C2 channel.’)
  • [T1016] System Network Configuration Discovery – Collection of network interface and ARP cache data for discovery: (‘collection of network interface information and ARP cache contents implies the use of this technique for discovery.’)

Indicators of Compromise

  • [Malware Hashes] Stately Taurus sample hashes – d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318, a16a40d0182a87fc6219693ac664286738329222983bd9e70b455f198e124ba2, and 3 more hashes
  • [IP Address] C2 and download hosts – 103.27.109[.]157 (PubLoad C2), 123.253.32[.]71 (hosts WindowsUpdate.exe / EACore.dll)
  • [Domain] C2 domains – www.openservername[.]com, ai.nerdnooks[.]com
  • [File names] Malicious delivery filenames – Talking_Points_for_China.zip, Note PSO.scr

Stately Taurus used two distinct delivery packages in early March 2024. The first, Talking_Points_for_China.zip, contained a renamed signed KeyScrambler executable that sideloaded a malicious KeyScramblerIE.dll to C:UsersPublicLibrariesSmileTVKeyScramblerIE.dll and created an autorun registry entry for persistence; the dropped code decrypted and executed PubLoad shellcode which attempted to reach 103.27.109[.]157:433. The second package, Note PSO.scr, was a screensaver executable that fetched a benign-signed executable (renamed WindowsUpdate.exe, actually EACoreServer.exe) and a malicious EACore.dll from 123.253.32[.]71, performed DLL sideloading by overwriting/using EACore.dll, and connected to 146.70.149[.]36 / www.openservername[.]com for C2.

A separate Chinese APT was observed communicating with ASEAN-affiliated systems and using a distributed C2 infrastructure (examples: 65.20.103[.]231, 139.59.46[.]88, 193.149.129[.]93 / ai.nerdnooks[.]com, 192.153.57[.]98 / web.daydreamdew[.]net). Activity shows a business-hour pattern aligned to UTC+08:00 and operational pauses during Chinese holidays, supporting attribution and helping narrow monitoring windows. Recommended technical detections include blocking listed IPs/domains, detecting DLL side-loading behaviors, monitoring autorun registry modifications, and flagging execution of the noted delivery filenames and signed binaries when observed in unusual contexts.

Read more: https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint