CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

MITRE Techniques

• [T1505.003] Web Shell – Used to gain and maintain access on compromised government systems and execute commands (‘deploying web shells’ / ‘These web shells function as the central mechanism for executing arbitrary commands’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used for executing commands through cmd.exe and direct process execution (‘Executes the command via cmd.exe (or direct process execution)’).
• [T1046] Network Service Scanning – Used to scan entities for vulnerabilities and identify movement opportunities (‘the attackers scanning the entities for vulnerabilities’).
• [T1018] Remote System Discovery – Used to enumerate network and system information on the victim environment (‘conducting initial reconnaissance’, ‘network and system enumeration’).
• [T1005] Data from Local System – Used to collect source code, database data, and files from compromised hosts (‘exfiltrating database information’, ‘staging and exfiltrating an entire directory of web server source code’).
• [T1071.001] Application Layer Protocol: Web Protocols – Used HTTP GET/POST for beaconing, registration, and exfiltration (‘The malware uses standard HTTP’, ‘sends exfiltrated data via POST requests’).
• [T1571] Non-Standard Port – Not mentioned explicitly; omitted.
• [T1105] Ingress Tool Transfer – Used to download malicious payloads and tool archives from attacker infrastructure (‘resulted in the victim networks downloading malicious payloads’).
• [T1021.001] Remote Services: Remote Desktop Protocol – Not mentioned; omitted.
• [T1053.005] Scheduled Task/Job: Scheduled Task – Used to persist malware through a task named GoogleUpdaterTaskSystem140.0.7272.0 {ACE7A46F-50FD-481C-AB32-3D838871DB40} (‘creates a scheduled task’).
• [T1027] Obfuscated Files or Information – Used by disguising tools as legitimate executables and encrypting data with AES (‘disguised as legitimate system files’, ‘encrypts all exchanged data using AES-128’).
• [T1036] Masquerading – Used to hide malware as PerfWatson2.exe, vmtools.exe, and VMware-related files (‘masquerading as PerfWatson2.exe’, ‘masquerading as vmtools.exe’).
• [T1562.001] Impair Defenses: Disable or Modify Tools – Used self-destruct and cleanup behavior to remove evidence (‘This routine is designed to remove forensic evidence of the infection’).
• [T1070.004] Indicator Removal on Host: File Deletion – Used to delete payloads and cleanup artifacts (‘deletes the malware’s PerfWatson2 executable’).
• [T1112] Modify Registry – Not mentioned; omitted.
• [T1056.001] Input Capture: Keylogging – Not mentioned; omitted.
• [T1218.011] System Binary Proxy Execution: Rundll32 – Not mentioned; omitted.
• [T1218.003] System Binary Proxy Execution: CMSTP – Not mentioned; omitted.
• [T1620] Reflective Code Loading – Not mentioned; omitted.
• [T1555] Credentials from Password Stores – Not mentioned; omitted.
• [T1068] Exploitation for Privilege Escalation – Used known tools and privilege escalation methods, including JuicyPotato (‘To escalate privileges, the attackers deployed known open-source tools, such as JuicyPotato’).
• [T1090] Proxy – Used tunneling tools for command and control and exfiltration (‘frequently use tunneling tools for command and control (C2) and data exfiltration’).
• [T1218.005] System Binary Proxy Execution: Mshta – Not mentioned; omitted.
• [T1218.010] System Binary Proxy Execution: Regsvr32 – Not mentioned; omitted.