Recently, a new Chinese APT campaign dubbed Operation StealthyTrident has been observed by researchers from ESET and Avast. Researchers from both security firms have released separate details about this campaign.

Diving into the details

The operators behind Operation StealthyTrident have launched supply-chain attacks against hundreds of Mongolian government agencies. As a common vector among these government agencies, the hackers have picked out a chat app called Able Desktop, developed by a local company named Able Software.
  • The initial attacks revolved around adding payloads, such as HyperBro backdoor and PlugX remote access trojan, to the Able Desktop chat app and subsequently, spreading a trojanized version of the app's installer via phishing emails.
  • Since at least June, the attackers have been able to deliver a malware-laced Able Desktop chat app through the official update mechanism.
  • Furthermore, they continued delivering HyperBro backdoor, however, the PlugX RAT was replaced by Tmanger as the remote access component.
  • After analyzing all the malware strains used in the attacks, Avast researchers have attributed this operation to the Chinese APT group LuckyMouse, while ESET researchers believe that it is a collaboration of different China-linked APTs, such as LuckyMouse, TA428, CactusPete, TICK, IceFog, KeyBoy, and Winnti group.

Chinese APT groups on rage

  • In November, the Chinese-linked Cicada APT group had targeted companies in 17 regions and multiple sectors such as automotive, pharmaceutical, and engineering, as well as Managed Service Providers (MSPs) in a large-scale attack campaign.
  • In the same month, the Chinese-sponsored FunnyDream APT group had used three backdoors named Chinoxy, PcShare, and FunnyDream to infect more than 200 systems across Southeast Asian government institutions.

Wrapping up

Hijacking the official update mechanism in the operation StealthyTrident demonstrates the increasing proficiency and determination of Chinese APT groups to infiltrate government institutions.  An already diverse toolset range and incrementally improving approaches in these attacks signify the fierceness of these groups. These factors justify the need for close monitoring of such threat actors by security agencies.

Cyware Publisher

Publisher

Cyware