A previously unknown threat actor group has been using custom malware and publicly available tools to target enterprise infrastructure in what appears to be a sophisticated four-month espionage operation in Taiwan, Vietnam, and the United States from February to May 2023.
Cybersecurity researchers from Symantec Threat Hunter Team have dubbed this new group Grayling. The researchers detected this group due to their unique use of the DLL sideloading technique, which involves deploying a custom decryptor for payload transmission.
The attackers exploited public-facing infrastructure for initial access to the victim’s machines. Researchers have also detected web shell deployments in some victim computers before the DLL sideloading activities commenced. This technique facilitated the loading of various payloads, including Cobbalt Stricke, NetSpy, and the Havoc framework.
Upon gaining initial access, the attackers executed various actions, including privilege escalation, network scanning, and employing downloaders. Their tactics, techniques and procedures (TTPs) encompassed tools like Havoc (a versatile post-exploitation framework), Cobalt Strike (commonly exploited by malicious actors), NetSpy (a publically available spyware tool), exploiting CVE-2019-0803, Active Directory discover, and the use of Mimikatz for credential dumping.
The attack chain involved DLL sideloading through the exported API SbieDll_Hook, leading to the deployment of the malicious tools. The attackers also loaded and decrypted an unknown payload from imfsb.ini.
Post-exploitation activities involved terminating processes listed in a file named processlist.text and downloading the publically available credential-dumping tool Mimikatz.
The researchers are still unsure regarding the motivation of the threat actors as they observed no data exfiltration. However, the tools and activities observed by the researchers suggest that the primary objective of Grayling can be intelligence gathering. This view is more cemented after the fact that the targeted industries of Grayling — manufacturing, IT, biomedical, and government agencies — are typically of interest for intelligence purposes rather than financial gain.
Grayling’s use of custom techniques with publicly available tools aligns with contemporary APT group practices. Usually, attackers deploy this technique to evade security measures, maintain a low profile and further complicate attribution for investigators.
The researchers are still unsure about the geographical origins of Grayling, but the overwhelming interest in Taiwan can give us some clues. As of now, it is still not clear about Grayling’s country of origin.
In the News: Chinese-linked Stayin Alive campaign targets Asian telcos
