More details on suspected China-nexus actors quietly establishing years-long access to the networks of military organizations in Southeast Asia have come to light.
In a threat report last week, Palo Alto Networks’ Unit 42 incident response team detailed how it uncovered an extensive cyber espionage campaign, which it attributed with moderate confidence to Chinese state-sponsored actors — hard on the heels of a similar discovery of a years-long campaign targeting critical sectors in the region. The threat activity, which Unit 42 tracks as CL-STA-1087, was first discovered when newly deployed agents for Palo Alto Networks’ Cortex XDR platform detected suspicious PowerShell activity in a victim’s network.
After an investigation, Unit 42 researchers traced the threat activity to at least 2020. While it’s unclear how the attackers first gained access to the organization, the researchers discovered novel backdoor malware and a customized Getpass credential stealing tool.
“The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft,” Palo Alto Networks threat researchers Lior Rochberger and Yoav Zemah wrote in the report. “The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces.”
Who’s Behind the CL-STA-1087 Campaign?
It’s unclear which China-nexus threat group is behind the cyber espionage campaign. The attackers deployed several tools that have not been documented before, including two backdoors that researchers named “AppleChris” and “MemFun.” Both backdoors use dead-drop resolvers (DDRs), a technique used by other nation-state threat groups to post content on legitimate websites with embedded malicious domains or IP addresses.
In this case, the China-nexus actors used a shared Pastebin repository, which contains an encrypted command-and-control (C2) IP address that can only be accessed via a two-stage decryption process.
“This cryptographic approach ensures that even if the Pastebin account is discovered, the actual C2 server information remains protected, as the corresponding private key is embedded within the malware,” Rochberger and Zemah wrote.
The attackers also used a Dropbox account as a DDR, and likely maintained communications with multiple networks over a long period of time through these accounts, the researchers said. Additionally, CL-STA-1087’s malware employed other evasion tactics such as delayed execution to bypass sandboxes and a technique known as “timestomping,” in which attackers modify file time attributes in Windows to conceal new files or changes made to existing files.
Rochberger, principal threat research at Palo Alto Networks, tells Dark Reading that, whomever is behind the campaign, the threat actors are “both highly skilled and focused,” developing sophisticated custom malware with advanced evasion techniques. Perhaps more importantly, she says, the attackers demonstrated impressive patience throughout the campaign.
“They maintained undetected access for months, went dormant when necessary, and executed precision intelligence collection over multiple years. That level of discipline is harder to achieve than just building good malware,” she says.
Rochberger also says there is usually a split between China-nexus threat groups focused on long-term espionage and others that are focused on “smash-and-grab” attacks. “Unlike CL-STA-1087, these actors go in fast, steal whatever information they can, but often get caught because their activity can be characterized as somewhat ‘noisy’ in an environment,” she says.
Defending Against CL-STA-1087 Threats
One of the key elements in the CL-STA-1087 attacks is the use of legitimate Web and cloud services for malicious activity. Rochberger says Palo Alto Networks has seen an increase in the abuse of legitimate services for C2 infrastructure, “and that trend has accelerated with the rise of AI tools and cloud services that offer easy, anonymous access.”
Because of the rise in abuse, Rochberger urges organizations to be more strict about how their networks interact with even brand-name services like Dropbox and Pastebin.
“If your organization doesn’t officially use or approve certain content hosting or storage services, we’d strongly recommend restricting access,” she says. “At minimum, organizations should implement robust monitoring and alerting for any suspicious traffic to these platforms. The reality is that threat actors specifically choose these services because they blend in with normal Internet traffic and are often overlooked by security teams.”
Palo Alto Networks also published indicators of compromise (IOCs) for CL-STA-1087, including the SHA256 hashes of AppleChris variants and MemFun backdoors and IP addresses of the C2 servers.
