Symantec Threat Hunter Team attributes a new APT group, Grayling, to a campaign targeting multiple organizations in Taiwan’s manufacturing, IT, and biomedical sectors, with additional victims in the Pacific Islands government, Vietnam, and the U.S. The operation centers on a distinctive DLL sideloading technique using a custom decryptor to deploy payloads, leveraging publicly available tools like Havoc, Cobalt Strike, and NetSpy for what appears to be intelligence gathering. #Grayling #Taiwan
Keypoints
- Grayling is a newly identified APT group attributed by Symantec Threat Hunter Team.
- The actors use a distinctive DLL sideloading technique via the exported API SbieDll_Hook to load payloads.
- Public tools such as Havoc, Cobalt Strike, and NetSpy are used, alongside a custom decryptor for payload deployment.
- Initial access may involve exploitation of public-facing infrastructure and pre-penetration web shells.
- Post-exploitation activities include privilege escalation, network discovery (Active Directory mapping), process termination, and downloaders.
- The apparent motive is intelligence gathering across sectors including manufacturing, IT, biomedical, and government.
MITRE Techniques
- [T1574.002] DLL side-loading – DLL sideloading used to load payloads via the SbieDll_Hook export, enabling loading of tools like Cobalt Strike Stager, Havoc, and NetSpy. “The typical attack chain in this activity appears to be DLL sideloading through exported API SbieDll_Hook.”
- [T1003.001] Credential Dumping – Use of Mimikatz to dump credentials. “Mimikatz: Publicly available credential-dumping tool.”
- [T1046] Network Service Scanning – Network scanning during post-access activity to map the environment. “The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.”
- [T1069.002] Active Directory Discovery – Active Directory discovery to query AD and map the network. “Active Directory discovery: Used to query Active Directory and help map the network.”
- [T1068] Exploitation for Privilege Escalation – Exploitation of CVE-2019-0803 to escalate privileges. “Exploitation of CVE-2019-0803: An elevation of privilege vulnerability…”
- [T1105] Ingress Tool Transfer – Downloaders loading additional payloads from external sources, including unknown payload from imfsb.ini. “Downloaders” and “unknown payload downloaded from imfsb.ini.”
- [T1562.001] Impair Defenses: Kill Processes – Killing processes to hide activity, including terminating processes listed in a file. “Kill processes” and related activity indicate defense evasion.
Indicators of Compromise
- [File Hashes] – File indicators associated with Havoc, Cobalt Strike, NetSpy, and downloaders: da670d5acf3648b0deaecb64710ae2b7fc41fc6ae8ab8343a1415144490a9ae9, 79b0e6cd366a15848742e26c3396e0b63338ead964710b6572a8582b0530db17, bf1665c949935f3a741cfe44ab2509ec3751b9384b9eda7fb31c12bfbb2a12ec, c2a714831d8a7b0223631eda655ce62ff3c262d910c0a2ed67c5ca92ef4447e3 and 3 more hashes
- [Domain] – d3ktcnc1w6pd1f.cloudfront[.]net
- [IP Addresses] – 172.245.92[.]207, 3.0.93[.]185
- [URLs] – http://45.148.120[.]23:91/version.dll, http://45.148.120[.]23:91/vmtools.exe
- [Files] – processlist.txt, imfsb.ini, and 2 more files