Chinese APT abuses MSC files with GrimResource vulnerability

Sept. 18, 2024, 9:02 a.m.

Description

A Chinese Advanced Persistent Threat (APT) group has been exploiting MSC files using a new diskless shellcode technique. The campaign primarily targets government agencies and critical infrastructure in Southeast Asia, focusing on the Philippines, Vietnam, and Taiwan. The attack chain involves downloading and executing malicious files, including a 64-bit shellcode and the Marte Beacon with CobaltStrike. The group's modus operandi reflects techniques of Chinese origin APTs, operating Monday to Friday during hours compatible with Chinese time zones. While precise attribution is not possible, it could be a subgroup of APT41. The campaigns have evolved since August 2nd, incorporating a new module in the infection chain. The threat actor uses various decoys and targets both Windows and Linux systems.

External References

https://www.tgsoft.it/news/news_archivio.asp?id=1568&lang=eng
https://otx.alienvault.com/pulse/66ea92a9283052905ca41879
Tags
cobaltstrike
2024-09-18
msc files
marte beacon
diskless shellcode
grimresource vulnerability

Date

  • Created: Sept. 18, 2024, 8:43 a.m.
  • Published: Sept. 18, 2024, 8:43 a.m.
  • Modified: Sept. 18, 2024, 9:02 a.m.

Indicators

  • f1d519f43c36e24a89b351f00059a1bdb9afc2a339f7301117babb484e2cc555
  • fb640cfb9a86b9dc6806b048c6a88ef6ff546ca830a147322b4e3a3646b70942
  • ebebe25dc22fecceb27c390ce77059ade8188be71e340a1e7b098cb3b73ba855
  • eaae358c15ea26a976804a398c3fc2c25b37db0c89f09307e33cfc9ebcfba1d0
  • e7c58c2e315be01bd3a279c134e471ccf28046f67604b901279594dc5269a0f1
  • ca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84
  • a725be0997035e10e059f8f3141a12f836aaca13e364cfa588ea548ec38d9498
  • c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc
  • a0d662b1765301f38b17b861893d282005d821139524d583ec0cd4ccfc5cd43c
  • 9228d8ad3acec40e5d328f2b3ef4107fbe49107a85eb850c900b516520a1cb20
  • 8542ee752ef2ee498e106c0a6ddc4a9810320d14fd85a857520b19d02db46903
  • 633f5b27245a92b38d114aef292a485650bda737785d8a186b43cba8dc3969ca
  • 59171a541712e089dffee2336ec908aec856a38c4b7fbd74cc7a32fb698bc03e
  • 4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54
  • 4887fdb5bd5a59fa1754415dd818d455567cf6fe65fbeb7fbdbbe5b018bc3713
  • 257fa5c998d2117cc38452e6cbd2bf17b507c98ee492b246de6dcbc784585263
  • 333ed1e77dd0ae502dd73ea029957cb015e770cabad3e090ab3db659769f86af
  • 1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448
  • 159d13989d0ae44fddb7b1d4c331f1040d187693f16daa138c651f2cc9b7f6d3
  • 1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee
  • 04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e
  • http://visualstudio-microsoft.com:443
  • http://us2.s3bucket-azure.online:443
  • http://static.trendmicrotech.com:8443
  • http://api.s2cloud-amazon.com:8080
  • us2.s3bucket-azure.online
  • status.s3cloud-azure.com
  • static.trendmicrotech.com
  • api.s2cloud-amazon.com
  • visualstudio-microsoft.com
Download all indicators here!

Attack Patterns

  • Marte Beacon
  • CobaltStrike
  • Chinese APT (possibly APT41 subgroup)

Additional Informations

  • Energy
  • Government
  • Taiwan
  • Philippines