Threat-hunters at Palo Alto Networks’ Unit 42 have decided a gang they spotted two years ago is backed by China, after seeing it sling a new variety of malware.
Unit 42 first spotted this cluster of attackers in 2022 and has kept an eye on it ever since. On Tuesday the infosec investigators decided the group is worthy of a name – “Phantom Taurus” – because it has developed novel tactics, techniques, and procedures (TTPs) in pursuit of military and diplomatic targets across Asia, the Middle East, and Africa.
“We observed that the group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries,” the researchers wrote, and noted the group’s ops align with China’s interests and “frequently coincide with major global events and regional security affairs.”
Unit 42 says the group first targeted email systems, then switched to attacks on databases by using stolen credentials. Those efforts saw Phantom Taurus employ infrastructure used by other China-linked gangs, namely Iron Taurus (aka APT27), Starchy Taurus (aka Winnti) and Stately Taurus (aka Mustang Panda).
Phantom Taurus now uses its own infrastructure, and its very own malware that Unit 42 named “NET-STAR” because it’s a .NET app and is designed to target Internet Information Services (IIS) web servers.
“The NET-STAR malware suite demonstrates Phantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers,” the threat hunters wrote, before explaining the suite includes three backdoors:
- IIServerCore: A fileless modular backdoor that supports in-memory execution of command-line arguments, arbitrary commands and payloads
- AssemblyExecuter V1: Loads and executes additional .NET payloads in memory
- AssemblyExecuter V2: An enhanced version of AssemblyExecuter V1 that is also equipped with Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities
Unit 42 thinks Phantom Taurus designed the payloads to confuse infosec researchers, and that their efforts are working because AssemblyExecuter V1has a “seemingly benign code structure” that “results in minimal flagging by antivirus engines on VirusTotal.”
- Google issued ‘State-backed attack in progress’ warnings after spotting web hijack scheme
- Chinese spies suspected of 'moonlighting' as tawdry ransomware crooks
- China-linked Twisted Panda caught spying on Russian defense R&D
- Undiplomatic Chinese threat actor attacks embassies and foreign affairs departments
Palo Alto’s article includes indicators of compromise – you’ll need to go looking for SHA256 hashes for the three backdoors – and suggests Phantom Taurus is “a significant threat to internet-facing servers.”
However, the company’s post doesn’t detail how Phantom Taurus infects its targets with NET-STAR, or describe any raids it has conducted other than to say it’s observed the gang seeking “documents of interest and information related to specific countries such as Afghanistan and Pakistan.”
China consistently refutes reports that it backs attack gangs, claiming that they’re all part of a US-led plot to discredit it and sully its peaceful intentions. ®