Kaspersky researchers have uncovered the resurgence of PassiveNeuron, a sophisticated cyberespionage campaign targeting organizations in Asia, Africa, and Latin America using custom implants like Neursite and NeuralExecutor. The campaign employs complex multi-stage infection chains involving Microsoft SQL servers and DLL hijacking, highlighting targeted espionage activities by potentially Chinese-speaking threat actors. #PassiveNeuron #Neursite #NeuralExecutor #CobaltStrike #APT41
Keypoints
- The PassiveNeuron campaign involves the use of custom implants such as Neursite and NeuralExecutor for cyberespionage.
- Attackers initially compromise Windows Server systems through Microsoft SQL vulnerabilities, Web SQL injection, or brute-force tactics.
- DLL hijacking in the Windows System32 folder ensures persistence by automatically loading malicious libraries on startup.
- Neursite facilitates detailed system infiltration, including network info retrieval and lateral movement capabilities.
- The attribution hints at links to Chinese-speaking threat actors, possibly APT41, with sophisticated obfuscation and stealth measures.