An advanced persistent threat (APT) hacking group, believed to be from China, planted backdoors to spy on a telecommunications company, a gas company, and a governmental institution in Asia, said a joint report from cybersecurity teams at Avast and ESET.
The group planted backdoors to gain long-term access to corporate networks, said the report, adding that the group was also perhaps behind attacks active in Mongolia, Russia, and Belarus.
None of the organisations targeted by the group are based in India, Avast said.
Avast believes the group is from China, based on the use of Gh0st Remote Access Trojan (RAT), which has been known to be used by Chinese APT groups in the past and similarities in the code Avast analysed and code recently analysed in a campaign attributed to Chinese actors.
The backdoors gave the actors the ability to manipulate and delete files, take screenshots, alter processes, and services, as well as execute console commands, and remove itself.
Additionally, some commands had the capability to instruct the backdoors to exfiltrate data to a command and control (C&C) server.
Infected devices could also be commanded by a C&C server to act as a proxy or listen on a specific port on every network interface. The group also used tools such as Gh0st RAT and Management Instrumentation to move laterally within infiltrated networks.
“The group behind the attack frequently recompiled their custom tools to avoid antivirus detection, which, in addition to the backdoors, included Mimikatz and Gh0st RAT,” said Luigino Camastra, malware researcher at Avast. “Based on what we have discovered and the fact that we were able to tie elements of these attacks back to attacks carried out on other countries, we assume this group is also targeting further countries.”
Avast said it reported its findings to the local Computer Emergency Response Team team, and reached out to the affected telecommunications company it discovered was under attack.