Today > vulnerabilities   -   You can now download lists of IOCs here!

Operation Specter: An Active Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia

May 23, 2024, 3:25 p.m.

Tags
cyberespionage
2024-05-23
CVE-2021-34473
gh0st rat
moudoor
mydoor
tunnelspecter
email-exfiltration
sweetspecter
embassies
backdoors
CVE-2021-26855
geopolitics
External References
Description

An analysis reveals long-term espionage operations by a Chinese advanced persistent threat (APT) group against at least seven governmental entities across the Middle East, Africa and Asia since late 2022. The threat actor attempts to obtain sensitive and classified information about diplomatic and economic missions, embassies, military operations, political meetings, ministries and high-ranking officials. The campaign leverages rare email exfiltration techniques against compromised servers and utilizes previously undocumented backdoors named TunnelSpecter and SweetSpecter. The actor closely monitors geopolitical developments, exfiltrating information daily, and maintains persistence through repeated attempts when disrupted. The tactics, infrastructure and malware have strong connections to Chinese state-aligned interests.

Date

Published: May 23, 2024, 3:06 p.m.

Created: May 23, 2024, 3:06 p.m.

Modified: May 23, 2024, 3:25 p.m.

Indicators

d5a44380e4f7c1096b1dddb6366713aa8ecb76ef36f19079087fc76567588977

8198c8b5eaf43b726594df62127bcb1a4e0e46cf5cb9fa170b8d4ac2a4dad179

62dec3fd2cdbc1374ec102d027f09423aa2affe1fb40ca05bf742f249ad7eb51

3d74df40e3d2730941ff64f275217ae6d46b20d7fbbd04123bc156daf8f6e85c

22d556db39bde212e6dbaa154e9bcf57527e7f51fa2f8f7a60f6d7109b94048e

0f72e9eb5201b984d8926887694111ed09f28c87261df7aab663f5dc493e215f

0b980e7a5dd5df0d6f07aabd6e7e9fc2e3c9e156ef8c0a62a0e20cd23c333373

0e0b5c5c5d569e2ac8b70ace920c9f483f8d25aae7769583a721b202bcc0778f

27.255.79.17

194.14.217.34

192.225.226.196

108.61.178.125

103.149.90.235

103.108.67.153

103.108.192.238

192.225.226.217

update.microsoft-ns1.com

static.microsoft-ns1.com

safer.ddns.us

poer.whoamis.info

labour.govu.ml

home.microsoft-ns1.com

cloud.microsoft-ns1.com

api.microsoft-ns1.com

microsoft-ns1.com

govu.ml

govm.tk

airjaldinet.ml

Download all indicators here!

Attack Patterns

SweetSpecter

TunnelSpecter

Moudoor

Mydoor

gh0st RAT - S0032

TGR-STA-0043

T1053.002

T1114.003

T1019

T1122

T1567.002

T1003.002

T1003.001

T1543.003

T1053.005

T1029

T1059.005

T1213

T1012

T1071.001

T1105

T1055

T1078

CVE-2021-34473

CVE-2021-26855

Additional Informations

Defense

Government