October 10, 2023 at 07:00AM
A previously unknown threat actor named Grayling has been identified as the culprit behind a series of cyberattacks on organizations in Taiwan, including manufacturing, IT, and biomedical sectors. Symantec’s Threat Hunter Team discovered the attacks, which began in February and utilized a distinct DLL side-loading technique to deploy payloads. The motivation behind the attacks appears to be intelligence gathering, with no evidence of data exfiltration. The heavy targeting of Taiwanese organizations suggests a regional interest in Taiwan.
Key Takeaways from Meeting Notes:
1. A previously unknown threat actor named Grayling has been linked to cyber attacks targeting organizations in Taiwan, including the manufacturing, IT, and biomedical sectors.
2. Grayling is identified as an advanced persistent threat (APT) and is known for using a distinctive DLL side-loading technique to deploy payloads.
3. The attacks began in February 2023 and continued until at least May 2023, indicating a sustained campaign.
4. Besides Taiwan, Grayling has also targeted a government agency in the Pacific Islands, and entities in Vietnam and the U.S.
5. The motivation behind Grayling’s activity appears to be intelligence gathering.
6. Grayling gains initial access to victim environments by exploiting public-facing infrastructure and deploys web shells for persistent access.
7. The attack chains involve DLL side-loading via SbieDll_Hook to load a range of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, along with tools like Mimikatz.
8. Grayling has been observed terminating all processes listed in a file called processlist.txt.
9. DLL side-loading is a technique used to trick the Windows operating system into executing malicious code by placing a malicious DLL with the same name as a legitimate DLL to exploit the DLL search order mechanism.
10. Once inside victim computers, Grayling escalates privileges, performs network scanning, and utilizes downloaders.
11. Data exfiltration has not been observed so far, indicating that the motives behind the attacks are focused on reconnaissance and intelligence gathering.
12. Grayling’s use of publicly available tools and process termination aims to complicate attribution efforts and avoid detection for extended periods.
13. The heavy targeting of Taiwanese organizations suggests that Grayling likely operates from a region with a strategic interest in Taiwan.
Full Article – https://ift.tt/T9tow0Z