Unit 42 documents three Stately Taurus campaigns in August targeting South Pacific entities, including the Philippines government, using renamed Solid PDF Creator and a side-loaded DLL to maintain persistence and C2 activity. The actors also disguised C2 traffic as legitimate Microsoft requests and used Google Drive as a distribution drop point. #StatelyTaurus #MustangPanda #BronzePresident #RedDelta #LuminousMoth #EarthPreta #CamaroDragon #SolidPDFCreator #SmadavProtect #PhilippinesGovernment #Unit42 #GoogleDrive
Keypoints
- Three Stately Taurus campaigns observed in August 2023 targeted entities in the South Pacific, including the Philippines government.
- Attackers used legitimate software (Solid PDF Creator) renamed and a hidden DLL (SolidPDFCreator.dll) to sideload malware.
- Campaign 2 used a lure file named “NUG’s Foreign Policy Strategy.exe” with additional hidden files and executed a benign SmadavProtect32.exe to load the malicious DLL.
- C2 traffic was designed to resemble legitimate Microsoft traffic, including host masquerading as wcpstatic.microsoft.com.
- A registry Run key was created for persistence (Run key to launch SmadavProtect32.exe).
- Stately Taurus has a long history (since 2012) of cyberespionage targeting government entities and NGOs globally; protections emphasize NGFW, XDR, and automation.
MITRE Techniques
- [T1574.002] DLL Side-Loading – The legitimate Solid PDF Creator is launched and side-loads the malicious SolidPDFCreator.dll from the same folder. “Any attempt to execute the legitimate Solid PDF Creator software will result in the side-loading of the malicious DLL contained in the same folder.”
- [T1036] Masquerading – The attackers present a visible file (20230728 meeting minutes.exe) that is a renamed copy of Solid PDF Creator, disguising it as legitimate software. “By default, victims are presented with a visible application … This file is in fact a legitimate copy of Solid PDF Creator software that has been renamed.”
- [T1060] Registry Run Keys/Startup Folder – A registry key is created to run SmadavProtect32.exe at user logon. “establishes a registry key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunAHealthDB) to call SmadavProtect32.exe when a user logs on.”
- [T1071.001] Web Protocols – C2 traffic is disguised as legitimate Microsoft activity, with POST statements targeting a host that pretends to be Microsoft. “The POST statements the malware sets the host field to wcpstatic.microsoft[.]com …”
- [T1105] Ingress Tool Transfer – The malware package is hosted for download on Google Drive, delivering the initial payload. “malware package that was hosted for download on Google Drive.”
Indicators of Compromise
- [IP Address] 45.121.146[.]113 – C2 server used across campaigns, first associated with Stately Taurus in June 2023 and reused in August 2023
- [URL] drive.google[.]com/uc?id=1QLIQXP-s42TtZsONsKLAAtOr4Pdxljcu – Google Drive hosting the malware package
- [Domain] wcpstatic.microsoft[.]com – Used in C2 POST statements to masquerade as Microsoft traffic
- [File Hash] bebde82e636e27aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5, 24c6449a9e234b07772db8fdb944457a23eecbd6fbb95bc0b1398399de798584 – Stately Taurus sample malware components
- [File Hash] ba7c456f229adc4bd75bfb876814b4deaf6768ffe95a03021aead03e55e92c7c, 969b4b9c889fbec39fae365ff4d7e5b1064dad94030a691e5b9c8479fc63289c
- [File Hash] 3597563aebb80b4bf183947e658768d279a77f24b661b05267c51d02cb32f1c9, d57304415240d7c08b2fbada718a5c0597c3ef67c765e1daf4516ee4b4bdc768
- [File Hash] 54be4a5e76bdca2012db45b1c5a8d1a9345839b91cc2984ca80ae2377ca48f51, 2b05a04cd97d7547c8c1ac0c39810d00b18ba3375b8feac78a82a2f9a314a596
Read more: https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/