CSIRT-CTI and Unit 42 expand their Stately Taurus investigation against Myanmar’s military junta, detailing seven campaigns (Campaign #3–#7) observed between November 2023 and January 2024 with largely consistent tactics and infrastructure. The campaigns reuse DLL Search Order Hijacking and PUBLOAD, with some variants using Cobalt Strike beacons and infostealers, and reveal a broad set of IOCs including IP addresses, magic bytes, and a common certificate CN. #StatelyTaurus #PUBLOAD
Keypoints
- CSIRT-CTI and Unit 42 document seven Stately Taurus campaigns against Myanmar’s military junta, expanding from the initial set.
- All campaigns reuse DLL Search Order Hijacking to side-load malicious DLLs (e.g., KeyScramblerIE.dll) and leverage PUBLOAD traits.
- Some campaigns employ Cobalt Strike beacons and infostealers, showing variation in the intrusion workflow.
- Indicators of Compromise include multiple C2 IPs, spoofed host headers, magic bytes 17 03 03, and certificate CN WIN-9JJA076EVSS.
- Persistence mechanisms include Registry Run keys (e.g., AKkeydobe, WindowsOfficeDoc) and autorun keys, plus creation of targeted drop directories.
- Campaigns feature lure documents, disguised executables, and event-object techniques to aid data access and exfiltration; similarity analysis suggests moderate confidence in related samples based on imports and code.
MITRE Techniques
- [T1574.002] DLL search-order hijacking – DLLs side-loaded during attack cascade. “Both executables leverage the previously-seen DLL Search Order Hijacking technique (T1574.002) to side-load a malicious DLL with the name KeyScramblerIE.dll.”
- [T1083] File and Directory Discovery – The sample reads user directories to locate potentially sensitive data. “…the malware proceeds to read a set of directories with potentially sensitive data.”
- [T1547.001] Registry Run Keys/Startup Folder – Persistence via autorun keys in Windows registry. “the typical autorun key is created for the executable in its new location with a command-line argument to detect reruns.”
- [T1027] Obfuscated/Compressed Files and Information – Decrypting and loading a Cobalt Strike beacon from a deobfuscated payload. “decrypting it into a Cobalt Strike Beacon loader…,” and using the same magic bytes to signal payloads. “
- [T1071.001] Web protocols – C2 communications over TLS/HTTP-like channels. “connects with FakeTLS to 45.121.146[.]113 for C2,” etc.
- [T1218] Signed Binary Proxy Execution – Use of legitimate signed binaries for deployment. “Two of these are benign executables with the names Country at risk of breaking apart due to clashes.exe… copies of the legitimate executable KeyScrambler.exe, which was originally signed by QFX Software Corporation.”
- [T1036] Masquerading – Executables disguised as Microsoft Office documents with altered icons. “the executable is disguised as a Microsoft Word file with a replaced icon.”
Indicators of Compromise
- [IP Address] C2 addresses – 45.121.146[.]113, 61.4.102[.]75, 45.154.24[.]14, 103.249.84[.]137
- [Domain/Host header] Spoofed headers – wpstatic.microsoft.com, www.download.wndowsupdate.com
- [Magic Bytes] 17 03 03 – payload signaling in multiple samples
- [Certificate Common Name] WIN-9JJA076EVSS – consistently used with C2 servers
- [User Agent] Cobalt Strike User Agent – “Mozilla/5.0 (compatible; mobile! telephone; https://mobile.bing.com/search)”
- [Archive/Filename] Shan(north) – 11-09-2023.zip, Talking Points for China.zip, 01-05-2024.zip – sample artifacts used in campaigns
- [File Hash] fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1, 3a6887963920c8bc1ae35fdca69af2c0865f8b5c6ef90b4db91fa152bc56050d
- [File Hash] 01273b6bb129a54d59e91c389a71add9892d392ea5f145169ae628ec99eda935, edb0025d79d00839cc52d6b750d845c37ffd5a882c81e7979e2594a7f6c6d361
- [File Name] KeyScramblerIE.dll, Report – 11-09-23.exe – hashes shown above correspond to malicious DLLs and executables