U.S. Organization in China Targeted by Attackers

Dec. 6, 2024, 5:25 p.m.

Description

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltration tools, suggesting data theft. Tactics involved DLL sideloading, credential dumping, remote execution tools, and reconnaissance of Active Directory.

External References

https://www.security.com/threat-intelligence/us-china-espionage
https://otx.alienvault.com/pulse/675330337d348f9659b8ca3f
Tags
apt
espionage
exfiltration
lateral movement
credential access
2024-12-06
textinputhost.dat

Date

  • Created: Dec. 6, 2024, 5:11 p.m.
  • Published: Dec. 6, 2024, 5:11 p.m.
  • Modified: Dec. 6, 2024, 5:25 p.m.

Indicators

  • ff91bbe7bd4e6d5498b1332f0ad233dcf0ad5fc0d31f870a92142731354d739c
  • f2fa6ae29306ed7171f2e9563ced9bbd6e337ed8c389b319df3c6b46eeb050f0
  • d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae
  • 86fd8328765e4803feedf5878a08c149c08d47c336578261a08a3e1933b68daa
  • 51fe904458e216e75909f82a33dc4f163250b498b4e2d365880184e806d3db1a
  • 472a513eb60cba4a2320ebbc10d84679ebaa1a8f90e5a3764902a456b3936a17
  • 23221b6f95b9e3b165a84570212f2c8681cf888aa0fa78822f8500357eeafaf0
  • 1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d
  • edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
  • c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0
  • http://149.28.154.23:443/vmtools.exe'
  • http://149.28.154.23:443/rar.exe'
  • http://149.28.154.23:443
Download all indicators here!

Attack Patterns

  • Suspected China-based threat actor

Additional Informations

  • China