Chinese APT abuses MSC files with GrimResource vulnerability

Sept. 18, 2024, 9:02 a.m.

Tags
cobaltstrike
2024-09-18
msc files
marte beacon
diskless shellcode
grimresource vulnerability
External References
Description

A Chinese Advanced Persistent Threat (APT) group has been exploiting MSC files using a new diskless shellcode technique. The campaign primarily targets government agencies and critical infrastructure in Southeast Asia, focusing on the Philippines, Vietnam, and Taiwan. The attack chain involves downloading and executing malicious files, including a 64-bit shellcode and the Marte Beacon with CobaltStrike. The group's modus operandi reflects techniques of Chinese origin APTs, operating Monday to Friday during hours compatible with Chinese time zones. While precise attribution is not possible, it could be a subgroup of APT41. The campaigns have evolved since August 2nd, incorporating a new module in the infection chain. The threat actor uses various decoys and targets both Windows and Linux systems.

Date

Published: Sept. 18, 2024, 8:43 a.m.

Created: Sept. 18, 2024, 8:43 a.m.

Modified: Sept. 18, 2024, 9:02 a.m.

Indicators

f1d519f43c36e24a89b351f00059a1bdb9afc2a339f7301117babb484e2cc555

fb640cfb9a86b9dc6806b048c6a88ef6ff546ca830a147322b4e3a3646b70942

ebebe25dc22fecceb27c390ce77059ade8188be71e340a1e7b098cb3b73ba855

eaae358c15ea26a976804a398c3fc2c25b37db0c89f09307e33cfc9ebcfba1d0

e7c58c2e315be01bd3a279c134e471ccf28046f67604b901279594dc5269a0f1

ca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84

a725be0997035e10e059f8f3141a12f836aaca13e364cfa588ea548ec38d9498

c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc

a0d662b1765301f38b17b861893d282005d821139524d583ec0cd4ccfc5cd43c

9228d8ad3acec40e5d328f2b3ef4107fbe49107a85eb850c900b516520a1cb20

8542ee752ef2ee498e106c0a6ddc4a9810320d14fd85a857520b19d02db46903

633f5b27245a92b38d114aef292a485650bda737785d8a186b43cba8dc3969ca

59171a541712e089dffee2336ec908aec856a38c4b7fbd74cc7a32fb698bc03e

4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54

4887fdb5bd5a59fa1754415dd818d455567cf6fe65fbeb7fbdbbe5b018bc3713

257fa5c998d2117cc38452e6cbd2bf17b507c98ee492b246de6dcbc784585263

333ed1e77dd0ae502dd73ea029957cb015e770cabad3e090ab3db659769f86af

1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448

159d13989d0ae44fddb7b1d4c331f1040d187693f16daa138c651f2cc9b7f6d3

1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee

04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e

http://visualstudio-microsoft.com:443

http://us2.s3bucket-azure.online:443

http://static.trendmicrotech.com:8443

http://api.s2cloud-amazon.com:8080

Download all indicators here!

Attack Patterns

Marte Beacon

CobaltStrike

Chinese APT (possibly APT41 subgroup)

T1568

T1553.002

T1573.001

T1547.009

T1059.005

T1027.002

T1059.001

T1071.001

T1518.001

T1036.005

T1204.002

T1105

T1055

T1036

T1027

T1059

Additional Informations

Energy

Government

Taiwan

Philippines