A gambling firm from the Philippines has become the target of an ongoing campaign active since October 2021, which is being tracked under the name Operation ChattyGoblin. The campaign involves a series of attacks that target support agents of Southeast Asian organizations via chat applications such as Comm100 and LiveHelp100.
ChattyGoblin's link to China
The campaign is believed to be used to target organizations in the industrial, technology, healthcare, insurance, manufacturing, and telecom sectors in Europe and North America.
- The attack chains use chat apps to spread a C# dropper, which deploys another C# executable that acts as a medium to drop a Cobalt Strike beacon on hacked workstations.
- CrowdStrike first spotted a trojanized Comm100 installer in October 2022 being used to deliver malware.
- Researchers linked the ongoing supply chain attack to a threat actor with links to China.
Other active APT groups
Recently, ESET provided a detailed report named APT Activity Report Q4 2022–Q1 2023, covering details about multiple campaigns, including Operation ChattyGoblin. Other campaigns included in the report are as follows:
- The report provides details about the attacks performed by Donut Team and SideWinder against government firms in South Asia.
- Another set of limited attacks was linked to another Indian APT group named Confucius that has been active since 2013. The threat group is believed to have links with the Patchwork group.
- An unnamed Indian data management services provider was targeted by the North Korea-backed Lazarus Group in January, with an Accenture-themed social engineering lure.
- Another Iranian threat actor named OilRig deployed a custom implant, Mango, on an Israeli healthcare firm.
Conclusion
Operation ChattyGoblin has remained undetected for almost a year. This hints at the sophisticated evasion tactics used by this group. Moreover, the operations mentioned in ESET’s report are typical indicators of the ongoing activities of APT groups across the globe, suggesting that APTs are continuously updating their TTPs. To combat such threats organizations are highly recommended to upgrade their defense strategies proactively.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dbda_shutterstock_2048016017.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/251e_shutterstock_2082676147.jpg)
