August 26, 2024 at 06:04PM
An ongoing campaign in southeast Asia is using two innovative stealth techniques to infect high-level organizations. “GrimResource” executes arbitrary code in the Microsoft Management Console, while “AppDomainManager Injection” uses malicious DLLs to load a custom configuration file. These techniques were recently used to drop Cobalt Strike onto IT systems belonging to government agencies and military organizations.
Based on the meeting notes, the key takeaways are:
1. The ongoing campaign is using two stealth techniques, “GrimResource” and “AppDomainManager Injection,” to infiltrate high-level organizations in Southeast Asia.
2. “GrimResource” exploits a vulnerability in the Microsoft Management Console (MMC) to execute arbitrary code, primarily by using a malicious ZIP file containing an MSC file.
3. The attackers leverage the “AppDomainManager Injection” technique, which involves duping a targeted application into loading a malicious AppDomainManager instead of the legitimate one.
4. The attackers are using these techniques in combination to drop Cobalt Strike onto IT systems belonging to Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam.
5. The campaign has been active since July and shows similarities to China’s APT41.
These clear takeaways provide an overview of the ongoing campaign, the specific techniques being used, and the potential impact on targeted organizations in Southeast Asia.